. */ declare(strict_types=1); namespace Fisharebest\Webtrees\Http\Middleware; use Fig\Http\Message\RequestMethodInterface; use Fisharebest\Webtrees\Auth; use Fisharebest\Webtrees\Exceptions\HttpAccessDeniedException; use Fisharebest\Webtrees\Http\RequestHandlers\LoginPage; use Fisharebest\Webtrees\Tree; use Fisharebest\Webtrees\User; use Psr\Http\Message\ResponseInterface; use Psr\Http\Message\ServerRequestInterface; use Psr\Http\Server\MiddlewareInterface; use Psr\Http\Server\RequestHandlerInterface; use function assert; use function redirect; use function route; /** * Middleware to restrict access to managers. */ class AuthManager implements MiddlewareInterface { /** * @param ServerRequestInterface $request * @param RequestHandlerInterface $handler * * @return ResponseInterface */ public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface { $tree = $request->getAttribute('tree'); assert($tree instanceof Tree); $user = $request->getAttribute('user'); // Logged in with the correct role? if (Auth::isManager($tree, $user)) { return $handler->handle($request); } // Logged in, but without the correct role? if ($user instanceof User || $request->getMethod() === RequestMethodInterface::METHOD_POST) { throw new HttpAccessDeniedException(); } // Not logged in. return redirect(route(LoginPage::class, ['tree' => $tree->name(), 'url' => $request->getUri()])); } }