. */ declare(strict_types=1); namespace Fisharebest\Webtrees\Http\Middleware; use Fig\Http\Message\RequestMethodInterface; use Fisharebest\Webtrees\Auth; use Fisharebest\Webtrees\Http\Exceptions\HttpAccessDeniedException; use Fisharebest\Webtrees\Http\RequestHandlers\LoginPage; use Fisharebest\Webtrees\User; use Psr\Http\Message\ResponseInterface; use Psr\Http\Message\ServerRequestInterface; use Psr\Http\Server\MiddlewareInterface; use Psr\Http\Server\RequestHandlerInterface; use function redirect; use function route; /** * Middleware to restrict access to administrators. */ class AuthAdministrator implements MiddlewareInterface { /** * @param ServerRequestInterface $request * @param RequestHandlerInterface $handler * * @return ResponseInterface */ public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface { $user = $request->getAttribute('user'); // Logged in with the correct role? if (Auth::isAdmin($user)) { return $handler->handle($request); } // Logged in, but without the correct role? if ($user instanceof User || $request->getMethod() === RequestMethodInterface::METHOD_POST) { throw new HttpAccessDeniedException(); } // Not logged in. return redirect(route(LoginPage::class, ['url' => $request->getUri()])); } }