From 404af756c97a45d68bf1a6da5092daccc16e02e2 Mon Sep 17 00:00:00 2001 From: br0kenpixel <23280129+br0kenpixel@users.noreply.github.com> Date: Sat, 29 Nov 2025 19:35:34 +0100 Subject: [PATCH] fix: prevent non-admin users from managing API keys --- .../app/Http/Middleware/AdministratorOnly.php | 24 +++++++++++++++++++ backend/routes/api.php | 5 ++-- 2 files changed, 27 insertions(+), 2 deletions(-) create mode 100644 backend/app/Http/Middleware/AdministratorOnly.php diff --git a/backend/app/Http/Middleware/AdministratorOnly.php b/backend/app/Http/Middleware/AdministratorOnly.php new file mode 100644 index 0000000..81ae32b --- /dev/null +++ b/backend/app/Http/Middleware/AdministratorOnly.php @@ -0,0 +1,24 @@ +user()->role !== 'ADMIN') { + return response(status: 403); + } + + return $next($request); + } +} diff --git a/backend/routes/api.php b/backend/routes/api.php index cc3c6ab..568f883 100644 --- a/backend/routes/api.php +++ b/backend/routes/api.php @@ -6,6 +6,7 @@ use App\Http\Controllers\ExternalApiController; use App\Http\Controllers\InternshipController; use App\Http\Controllers\StudentDataController; use App\Http\Controllers\InternshipStatusDataController; +use App\Http\Middleware\AdministratorOnly; use App\Models\Company; use App\Models\StudentData; use Illuminate\Http\Request; @@ -66,8 +67,8 @@ Route::prefix('/companies')->middleware("auth:sanctum")->group(function () { Route::delete("/{id}", [CompanyController::class, 'delete']); }); -Route::prefix('/external')->middleware("auth:sanctum")->group(function () { - Route::prefix('/keys')->group(function () { +Route::prefix('/external')->group(function () { + Route::prefix('/keys')->middleware(['auth:sanctum', AdministratorOnly::class])->group(function () { Route::get("/", [ExternalApiController::class, 'all_keys'])->name("api.external.keys.create"); Route::put("/", [ExternalApiController::class, 'create_key'])->name("api.external.keys.list"); Route::delete("/{id}", [ExternalApiController::class, 'destroy_key'])->name("api.external.keys.delete");