Restrict Users, Audit Logs, Security routes to super_admin only
- Sidebar: Users, Audit Logs and Security now only visible to super_admin - AdminController: requireSuperAdmin() check on users() and auditLogs() - AdminController: super_admin check on createUser, updateUser, deleteUser JSON endpoints - securitySettings() already had the check in place
This commit is contained in:
@@ -23,8 +23,18 @@ class AdminController
|
|||||||
$this->auditService = new AuditService();
|
$this->auditService = new AuditService();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private function requireSuperAdmin(): void
|
||||||
|
{
|
||||||
|
if (Session::get('user_role') !== 'super_admin') {
|
||||||
|
Session::setFlash('error', 'You do not have permission to access this page.');
|
||||||
|
$this->view->redirect('/dashboard');
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
public function users(): void
|
public function users(): void
|
||||||
{
|
{
|
||||||
|
$this->requireSuperAdmin();
|
||||||
|
|
||||||
$page = (int) ($_GET['page'] ?? 1);
|
$page = (int) ($_GET['page'] ?? 1);
|
||||||
$users = $this->userModel->getAll($page, 20);
|
$users = $this->userModel->getAll($page, 20);
|
||||||
|
|
||||||
@@ -36,6 +46,10 @@ class AdminController
|
|||||||
|
|
||||||
public function createUser(): void
|
public function createUser(): void
|
||||||
{
|
{
|
||||||
|
if (Session::get('user_role') !== 'super_admin') {
|
||||||
|
$this->view->json(['success' => false, 'message' => 'Forbidden'], 403);
|
||||||
|
}
|
||||||
|
|
||||||
$validator = new Validator();
|
$validator = new Validator();
|
||||||
$rules = [
|
$rules = [
|
||||||
'username' => 'required|min:3|max:50|alphaNum',
|
'username' => 'required|min:3|max:50|alphaNum',
|
||||||
@@ -77,6 +91,10 @@ class AdminController
|
|||||||
|
|
||||||
public function updateUser(int $id): void
|
public function updateUser(int $id): void
|
||||||
{
|
{
|
||||||
|
if (Session::get('user_role') !== 'super_admin') {
|
||||||
|
$this->view->json(['success' => false, 'message' => 'Forbidden'], 403);
|
||||||
|
}
|
||||||
|
|
||||||
$user = $this->userModel->findById($id);
|
$user = $this->userModel->findById($id);
|
||||||
|
|
||||||
if (!$user) {
|
if (!$user) {
|
||||||
@@ -117,6 +135,10 @@ class AdminController
|
|||||||
|
|
||||||
public function deleteUser(int $id): void
|
public function deleteUser(int $id): void
|
||||||
{
|
{
|
||||||
|
if (Session::get('user_role') !== 'super_admin') {
|
||||||
|
$this->view->json(['success' => false, 'message' => 'Forbidden'], 403);
|
||||||
|
}
|
||||||
|
|
||||||
$user = $this->userModel->findById($id);
|
$user = $this->userModel->findById($id);
|
||||||
|
|
||||||
if (!$user) {
|
if (!$user) {
|
||||||
@@ -139,6 +161,11 @@ class AdminController
|
|||||||
|
|
||||||
public function auditLogs(): void
|
public function auditLogs(): void
|
||||||
{
|
{
|
||||||
|
if (Session::get('user_role') !== 'super_admin') {
|
||||||
|
Session::setFlash('error', 'You do not have permission to access this page.');
|
||||||
|
$this->view->redirect('/dashboard');
|
||||||
|
}
|
||||||
|
|
||||||
$page = (int) ($_GET['page'] ?? 1);
|
$page = (int) ($_GET['page'] ?? 1);
|
||||||
$action = $_GET['action'] ?? '';
|
$action = $_GET['action'] ?? '';
|
||||||
$userId = $_GET['user_id'] ?? '';
|
$userId = $_GET['user_id'] ?? '';
|
||||||
|
|||||||
@@ -48,6 +48,7 @@
|
|||||||
<span>Teams</span>
|
<span>Teams</span>
|
||||||
</a>
|
</a>
|
||||||
</li>
|
</li>
|
||||||
|
<?php if ($_SESSION['user_role'] ?? '' === 'super_admin'): ?>
|
||||||
<li class="nav-item">
|
<li class="nav-item">
|
||||||
<a href="/admin/users" class="nav-link <?= str_starts_with($_SERVER['REQUEST_URI'] ?? '', '/admin/users') ? 'active' : '' ?>">
|
<a href="/admin/users" class="nav-link <?= str_starts_with($_SERVER['REQUEST_URI'] ?? '', '/admin/users') ? 'active' : '' ?>">
|
||||||
<i class="fas fa-users"></i>
|
<i class="fas fa-users"></i>
|
||||||
@@ -60,7 +61,6 @@
|
|||||||
<span>Audit Logs</span>
|
<span>Audit Logs</span>
|
||||||
</a>
|
</a>
|
||||||
</li>
|
</li>
|
||||||
<?php if ($_SESSION['user_role'] ?? '' === 'super_admin'): ?>
|
|
||||||
<li class="nav-item">
|
<li class="nav-item">
|
||||||
<a href="/admin/security" class="nav-link <?= str_starts_with($_SERVER['REQUEST_URI'] ?? '', '/admin/security') ? 'active' : '' ?>">
|
<a href="/admin/security" class="nav-link <?= str_starts_with($_SERVER['REQUEST_URI'] ?? '', '/admin/security') ? 'active' : '' ?>">
|
||||||
<i class="fas fa-shield-alt"></i>
|
<i class="fas fa-shield-alt"></i>
|
||||||
|
|||||||
Reference in New Issue
Block a user