diff --git a/app/Http/Controllers/NotificationController.php b/app/Http/Controllers/NotificationController.php index f5a0676..db1c3d2 100644 --- a/app/Http/Controllers/NotificationController.php +++ b/app/Http/Controllers/NotificationController.php @@ -12,6 +12,8 @@ class NotificationController extends Controller { public function index(Request $request) { + abort_if(!auth()->user()->can('role.manage'), 403, 'Unauthorized. Role management permission required.'); + $logs = NotificationLog::with(['targetUser', 'sender']) ->latest() ->paginate(10); @@ -37,6 +39,8 @@ class NotificationController extends Controller public function store(Request $request) { + abort_if(!auth()->user()->can('role.manage'), 403, 'Unauthorized. Role management permission required.'); + $validated = $request->validate([ 'title' => 'required|string|max:255', 'body' => 'required|string', diff --git a/app/Http/Controllers/RoleController.php b/app/Http/Controllers/RoleController.php index 30ef74e..95522ac 100644 --- a/app/Http/Controllers/RoleController.php +++ b/app/Http/Controllers/RoleController.php @@ -11,6 +11,8 @@ class RoleController extends Controller { public function index() { + abort_if(!auth()->user()->can('role.view'), 403, 'Unauthorized. Role view permission required.'); + $order = ['super-admin' => 0, 'admin' => 1, 'user' => 2]; $roles = Role::where('guard_name', 'web') @@ -48,6 +50,8 @@ class RoleController extends Controller */ public function updatePermissions(Request $request, Role $role) { + abort_if(!auth()->user()->can('role.manage'), 403, 'Unauthorized. Role management permission required.'); + $validated = $request->validate([ 'permissions' => 'required|array', 'permissions.*' => 'string|exists:permissions,name', @@ -64,6 +68,8 @@ class RoleController extends Controller */ public function store(Request $request) { + abort_if(!auth()->user()->can('role.manage'), 403, 'Unauthorized. Role management permission required.'); + $validated = $request->validate([ 'name' => 'required|string|max:50|unique:roles,name', ]); @@ -81,6 +87,8 @@ class RoleController extends Controller */ public function destroy(Role $role) { + abort_if(!auth()->user()->can('role.manage'), 403, 'Unauthorized. Role management permission required.'); + if ($role->name === 'super-admin') { return back()->withErrors(['error' => 'Cannot delete the super-admin role.']); } diff --git a/app/Http/Controllers/SystemSettingController.php b/app/Http/Controllers/SystemSettingController.php index c3a1522..4ad07ed 100644 --- a/app/Http/Controllers/SystemSettingController.php +++ b/app/Http/Controllers/SystemSettingController.php @@ -15,7 +15,7 @@ class SystemSettingController extends Controller */ public function index() { - abort_if(!auth()->user()->hasRole('super-admin'), 403, 'Unauthorized. Super-Admin only.'); + abort_if(!auth()->user()->hasRole('super-admin') && !auth()->user()->can('settings.manage'), 403, 'Unauthorized. Settings management permission required.'); $settings = Setting::all()->pluck('value', 'key'); @@ -73,7 +73,7 @@ class SystemSettingController extends Controller */ public function update(Request $request) { - abort_if(!auth()->user()->hasRole('super-admin'), 403, 'Unauthorized. Super-Admin only.'); + abort_if(!auth()->user()->hasRole('super-admin') && !auth()->user()->can('settings.manage'), 403, 'Unauthorized. Settings management permission required.'); $validated = $request->validate([ 'settings' => 'required|array', @@ -140,7 +140,7 @@ class SystemSettingController extends Controller */ public function testEmail(Request $request) { - abort_if(!auth()->user()->hasRole('super-admin'), 403, 'Unauthorized. Super-Admin only.'); + abort_if(!auth()->user()->hasRole('super-admin') && !auth()->user()->can('settings.manage'), 403, 'Unauthorized. Settings management permission required.'); $request->validate([ 'recipient' => 'required|email', diff --git a/routes/web.php b/routes/web.php index 3f493a5..b57e23a 100644 --- a/routes/web.php +++ b/routes/web.php @@ -38,10 +38,12 @@ Route::middleware(['auth', 'verified'])->group(function () { // Settings page Route::get('/settings', [SettingsController::class, 'index'])->name('settings.index'); - // System Settings (Super-Admin only) - Route::get('/system-settings', [\App\Http\Controllers\SystemSettingController::class, 'index'])->name('system.settings.index'); - Route::patch('/system-settings', [\App\Http\Controllers\SystemSettingController::class, 'update'])->name('system.settings.update'); - Route::post('/system-settings/test-email', [\App\Http\Controllers\SystemSettingController::class, 'testEmail'])->name('system.settings.test-email'); + // System Settings (Super-Admin / settings.manage) + Route::middleware('can:settings.manage')->group(function () { + Route::get('/system-settings', [\App\Http\Controllers\SystemSettingController::class, 'index'])->name('system.settings.index'); + Route::patch('/system-settings', [\App\Http\Controllers\SystemSettingController::class, 'update'])->name('system.settings.update'); + Route::post('/system-settings/test-email', [\App\Http\Controllers\SystemSettingController::class, 'testEmail'])->name('system.settings.test-email'); + }); // Users CRUD Route::get('/users', [UserController::class, 'index'])->name('users.index'); @@ -68,7 +70,9 @@ Route::middleware(['auth', 'verified'])->group(function () { Route::post('/notifications', [\App\Http\Controllers\NotificationController::class, 'store'])->name('notifications.store'); // Internal Docs - Route::get('/documentation', fn() => Inertia::render('Docs/Index'))->name('docs.index'); + Route::get('/documentation', fn() => Inertia::render('Docs/Index')) + ->middleware('can:settings.manage') + ->name('docs.index'); // Two-Factor Authentication Route::get('/two-factor', [\App\Http\Controllers\TwoFactorController::class, 'show'])->name('two-factor.show');