110 lines
3.9 KiB
PHP
110 lines
3.9 KiB
PHP
<?php
|
|
|
|
namespace App\Http\Middleware;
|
|
|
|
use App\Helpers\ProfileAuthorizationHelper;
|
|
use Closure;
|
|
use Illuminate\Http\Request;
|
|
use Illuminate\Support\Facades\Log;
|
|
use Symfony\Component\HttpFoundation\Response;
|
|
|
|
/**
|
|
* Require Admin Profile Middleware
|
|
*
|
|
* Ensures that only administrators or central banks can access admin routes.
|
|
* Prevents IDOR attacks and cross-guard access by validating profile ownership
|
|
* using ProfileAuthorizationHelper.
|
|
*
|
|
* Usage:
|
|
* - Apply to routes that require admin or central bank access
|
|
* - Validates active profile from session
|
|
* - Checks cross-guard attacks via ProfileAuthorizationHelper
|
|
* - Logs all access attempts for security monitoring
|
|
*/
|
|
class RequireAdminProfile
|
|
{
|
|
/**
|
|
* Handle an incoming request.
|
|
*
|
|
* @param \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response) $next
|
|
*/
|
|
public function handle(Request $request, Closure $next): Response
|
|
{
|
|
// Get active profile from session
|
|
$activeProfileType = session('activeProfileType');
|
|
$activeProfileId = session('activeProfileId');
|
|
|
|
if (!$activeProfileType || !$activeProfileId) {
|
|
Log::warning('RequireAdminProfile: No active profile in session', [
|
|
'ip_address' => $request->ip(),
|
|
'url' => $request->fullUrl(),
|
|
]);
|
|
abort(403, __('No active profile selected'));
|
|
}
|
|
|
|
$profile = $activeProfileType::find($activeProfileId);
|
|
|
|
if (!$profile) {
|
|
Log::warning('RequireAdminProfile: Active profile not found', [
|
|
'active_profile_type' => $activeProfileType,
|
|
'active_profile_id' => $activeProfileId,
|
|
'ip_address' => $request->ip(),
|
|
'url' => $request->fullUrl(),
|
|
]);
|
|
abort(403, __('Active profile not found'));
|
|
}
|
|
|
|
// Validate profile ownership using ProfileAuthorizationHelper
|
|
// This prevents cross-guard attacks (e.g., web user accessing admin profile)
|
|
ProfileAuthorizationHelper::authorize($profile);
|
|
|
|
// Verify admin or central bank permissions
|
|
if ($profile instanceof \App\Models\Admin) {
|
|
// Admin access OK
|
|
Log::info('RequireAdminProfile: Admin access granted', [
|
|
'admin_id' => $profile->id,
|
|
'admin_name' => $profile->name,
|
|
'ip_address' => $request->ip(),
|
|
'url' => $request->fullUrl(),
|
|
]);
|
|
|
|
return $next($request);
|
|
}
|
|
|
|
if ($profile instanceof \App\Models\Bank) {
|
|
// Only central bank (level 0) can access admin routes
|
|
if ($profile->level === 0) {
|
|
Log::info('RequireAdminProfile: Central bank access granted', [
|
|
'bank_id' => $profile->id,
|
|
'bank_name' => $profile->name,
|
|
'bank_level' => $profile->level,
|
|
'ip_address' => $request->ip(),
|
|
'url' => $request->fullUrl(),
|
|
]);
|
|
|
|
return $next($request);
|
|
}
|
|
|
|
Log::warning('RequireAdminProfile: Non-central bank attempted admin access', [
|
|
'bank_id' => $profile->id,
|
|
'bank_name' => $profile->name,
|
|
'bank_level' => $profile->level,
|
|
'ip_address' => $request->ip(),
|
|
'url' => $request->fullUrl(),
|
|
]);
|
|
|
|
abort(403, __('Central bank access required for admin functions'));
|
|
}
|
|
|
|
// Not admin or central bank
|
|
Log::warning('RequireAdminProfile: Unauthorized profile type attempted admin access', [
|
|
'profile_type' => get_class($profile),
|
|
'profile_id' => $profile->id,
|
|
'ip_address' => $request->ip(),
|
|
'url' => $request->fullUrl(),
|
|
]);
|
|
|
|
abort(403, __('Admin or central bank access required'));
|
|
}
|
|
}
|