From 016584e907392c3f35301667e1de86c70489b550 Mon Sep 17 00:00:00 2001 From: Agent Date: Sun, 7 Jun 2026 07:34:16 -0400 Subject: [PATCH] Restrict Users, Audit Logs, Security routes to super_admin only - Sidebar: Users, Audit Logs and Security now only visible to super_admin - AdminController: requireSuperAdmin() check on users() and auditLogs() - AdminController: super_admin check on createUser, updateUser, deleteUser JSON endpoints - securitySettings() already had the check in place --- src/Controllers/AdminController.php | 27 +++++++++++++++++++++++++++ views/layouts/main.php | 2 +- 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/src/Controllers/AdminController.php b/src/Controllers/AdminController.php index 4eadbc3..9f276e5 100755 --- a/src/Controllers/AdminController.php +++ b/src/Controllers/AdminController.php @@ -23,8 +23,18 @@ class AdminController $this->auditService = new AuditService(); } + private function requireSuperAdmin(): void + { + if (Session::get('user_role') !== 'super_admin') { + Session::setFlash('error', 'You do not have permission to access this page.'); + $this->view->redirect('/dashboard'); + } + } + public function users(): void { + $this->requireSuperAdmin(); + $page = (int) ($_GET['page'] ?? 1); $users = $this->userModel->getAll($page, 20); @@ -36,6 +46,10 @@ class AdminController public function createUser(): void { + if (Session::get('user_role') !== 'super_admin') { + $this->view->json(['success' => false, 'message' => 'Forbidden'], 403); + } + $validator = new Validator(); $rules = [ 'username' => 'required|min:3|max:50|alphaNum', @@ -77,6 +91,10 @@ class AdminController public function updateUser(int $id): void { + if (Session::get('user_role') !== 'super_admin') { + $this->view->json(['success' => false, 'message' => 'Forbidden'], 403); + } + $user = $this->userModel->findById($id); if (!$user) { @@ -117,6 +135,10 @@ class AdminController public function deleteUser(int $id): void { + if (Session::get('user_role') !== 'super_admin') { + $this->view->json(['success' => false, 'message' => 'Forbidden'], 403); + } + $user = $this->userModel->findById($id); if (!$user) { @@ -139,6 +161,11 @@ class AdminController public function auditLogs(): void { + if (Session::get('user_role') !== 'super_admin') { + Session::setFlash('error', 'You do not have permission to access this page.'); + $this->view->redirect('/dashboard'); + } + $page = (int) ($_GET['page'] ?? 1); $action = $_GET['action'] ?? ''; $userId = $_GET['user_id'] ?? ''; diff --git a/views/layouts/main.php b/views/layouts/main.php index 6528b91..d191095 100755 --- a/views/layouts/main.php +++ b/views/layouts/main.php @@ -48,6 +48,7 @@ Teams + -