Restrict Users, Audit Logs, Security routes to super_admin only

- Sidebar: Users, Audit Logs and Security now only visible to super_admin
- AdminController: requireSuperAdmin() check on users() and auditLogs()
- AdminController: super_admin check on createUser, updateUser, deleteUser JSON endpoints
- securitySettings() already had the check in place
This commit is contained in:
2026-06-07 07:34:16 -04:00
parent 58be111745
commit 016584e907
2 changed files with 28 additions and 1 deletions

View File

@@ -23,8 +23,18 @@ class AdminController
$this->auditService = new AuditService();
}
private function requireSuperAdmin(): void
{
if (Session::get('user_role') !== 'super_admin') {
Session::setFlash('error', 'You do not have permission to access this page.');
$this->view->redirect('/dashboard');
}
}
public function users(): void
{
$this->requireSuperAdmin();
$page = (int) ($_GET['page'] ?? 1);
$users = $this->userModel->getAll($page, 20);
@@ -36,6 +46,10 @@ class AdminController
public function createUser(): void
{
if (Session::get('user_role') !== 'super_admin') {
$this->view->json(['success' => false, 'message' => 'Forbidden'], 403);
}
$validator = new Validator();
$rules = [
'username' => 'required|min:3|max:50|alphaNum',
@@ -77,6 +91,10 @@ class AdminController
public function updateUser(int $id): void
{
if (Session::get('user_role') !== 'super_admin') {
$this->view->json(['success' => false, 'message' => 'Forbidden'], 403);
}
$user = $this->userModel->findById($id);
if (!$user) {
@@ -117,6 +135,10 @@ class AdminController
public function deleteUser(int $id): void
{
if (Session::get('user_role') !== 'super_admin') {
$this->view->json(['success' => false, 'message' => 'Forbidden'], 403);
}
$user = $this->userModel->findById($id);
if (!$user) {
@@ -139,6 +161,11 @@ class AdminController
public function auditLogs(): void
{
if (Session::get('user_role') !== 'super_admin') {
Session::setFlash('error', 'You do not have permission to access this page.');
$this->view->redirect('/dashboard');
}
$page = (int) ($_GET['page'] ?? 1);
$action = $_GET['action'] ?? '';
$userId = $_GET['user_id'] ?? '';

View File

@@ -48,6 +48,7 @@
<span>Teams</span>
</a>
</li>
<?php if ($_SESSION['user_role'] ?? '' === 'super_admin'): ?>
<li class="nav-item">
<a href="/admin/users" class="nav-link <?= str_starts_with($_SERVER['REQUEST_URI'] ?? '', '/admin/users') ? 'active' : '' ?>">
<i class="fas fa-users"></i>
@@ -60,7 +61,6 @@
<span>Audit Logs</span>
</a>
</li>
<?php if ($_SESSION['user_role'] ?? '' === 'super_admin'): ?>
<li class="nav-item">
<a href="/admin/security" class="nav-link <?= str_starts_with($_SERVER['REQUEST_URI'] ?? '', '/admin/security') ? 'active' : '' ?>">
<i class="fas fa-shield-alt"></i>