Restrict Users, Audit Logs, Security routes to super_admin only

- Sidebar: Users, Audit Logs and Security now only visible to super_admin
- AdminController: requireSuperAdmin() check on users() and auditLogs()
- AdminController: super_admin check on createUser, updateUser, deleteUser JSON endpoints
- securitySettings() already had the check in place
This commit is contained in:
2026-06-07 07:34:16 -04:00
parent 58be111745
commit 016584e907
2 changed files with 28 additions and 1 deletions

View File

@@ -23,8 +23,18 @@ class AdminController
$this->auditService = new AuditService(); $this->auditService = new AuditService();
} }
private function requireSuperAdmin(): void
{
if (Session::get('user_role') !== 'super_admin') {
Session::setFlash('error', 'You do not have permission to access this page.');
$this->view->redirect('/dashboard');
}
}
public function users(): void public function users(): void
{ {
$this->requireSuperAdmin();
$page = (int) ($_GET['page'] ?? 1); $page = (int) ($_GET['page'] ?? 1);
$users = $this->userModel->getAll($page, 20); $users = $this->userModel->getAll($page, 20);
@@ -36,6 +46,10 @@ class AdminController
public function createUser(): void public function createUser(): void
{ {
if (Session::get('user_role') !== 'super_admin') {
$this->view->json(['success' => false, 'message' => 'Forbidden'], 403);
}
$validator = new Validator(); $validator = new Validator();
$rules = [ $rules = [
'username' => 'required|min:3|max:50|alphaNum', 'username' => 'required|min:3|max:50|alphaNum',
@@ -77,6 +91,10 @@ class AdminController
public function updateUser(int $id): void public function updateUser(int $id): void
{ {
if (Session::get('user_role') !== 'super_admin') {
$this->view->json(['success' => false, 'message' => 'Forbidden'], 403);
}
$user = $this->userModel->findById($id); $user = $this->userModel->findById($id);
if (!$user) { if (!$user) {
@@ -117,6 +135,10 @@ class AdminController
public function deleteUser(int $id): void public function deleteUser(int $id): void
{ {
if (Session::get('user_role') !== 'super_admin') {
$this->view->json(['success' => false, 'message' => 'Forbidden'], 403);
}
$user = $this->userModel->findById($id); $user = $this->userModel->findById($id);
if (!$user) { if (!$user) {
@@ -139,6 +161,11 @@ class AdminController
public function auditLogs(): void public function auditLogs(): void
{ {
if (Session::get('user_role') !== 'super_admin') {
Session::setFlash('error', 'You do not have permission to access this page.');
$this->view->redirect('/dashboard');
}
$page = (int) ($_GET['page'] ?? 1); $page = (int) ($_GET['page'] ?? 1);
$action = $_GET['action'] ?? ''; $action = $_GET['action'] ?? '';
$userId = $_GET['user_id'] ?? ''; $userId = $_GET['user_id'] ?? '';

View File

@@ -48,6 +48,7 @@
<span>Teams</span> <span>Teams</span>
</a> </a>
</li> </li>
<?php if ($_SESSION['user_role'] ?? '' === 'super_admin'): ?>
<li class="nav-item"> <li class="nav-item">
<a href="/admin/users" class="nav-link <?= str_starts_with($_SERVER['REQUEST_URI'] ?? '', '/admin/users') ? 'active' : '' ?>"> <a href="/admin/users" class="nav-link <?= str_starts_with($_SERVER['REQUEST_URI'] ?? '', '/admin/users') ? 'active' : '' ?>">
<i class="fas fa-users"></i> <i class="fas fa-users"></i>
@@ -60,7 +61,6 @@
<span>Audit Logs</span> <span>Audit Logs</span>
</a> </a>
</li> </li>
<?php if ($_SESSION['user_role'] ?? '' === 'super_admin'): ?>
<li class="nav-item"> <li class="nav-item">
<a href="/admin/security" class="nav-link <?= str_starts_with($_SERVER['REQUEST_URI'] ?? '', '/admin/security') ? 'active' : '' ?>"> <a href="/admin/security" class="nav-link <?= str_starts_with($_SERVER['REQUEST_URI'] ?? '', '/admin/security') ? 'active' : '' ?>">
<i class="fas fa-shield-alt"></i> <i class="fas fa-shield-alt"></i>