From 01690a6ab04076dca39647ed9b4e6752a6981e9a Mon Sep 17 00:00:00 2001
From: Dominik Pfennig <dominik@suma-ev.de>
Date: Wed, 18 Jan 2017 12:20:05 +0100
Subject: [PATCH] =?UTF-8?q?Alle=20Admin=20Unterseiten=20sind=20nur=20noch?=
=?UTF-8?q?=20zug=C3=A4nglich,=20wenn=20man=20autorisiert=20ist?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
app/Http/Kernel.php | 13 +++++++------
app/Http/Middleware/RefererCheck.php | 26 ++++++++++++++++++++++++++
resources/views/errors/403.blade.php | 8 ++++++++
routes/web.php | 10 ++++++----
4 files changed, 47 insertions(+), 10 deletions(-)
create mode 100644 app/Http/Middleware/RefererCheck.php
create mode 100644 resources/views/errors/403.blade.php
diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php
index 54f78aa05..308d74c64 100644
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@@ -47,11 +47,12 @@ class Kernel extends HttpKernel
* @var array
*/
protected $routeMiddleware = [
- 'auth' => \Illuminate\Auth\Middleware\Authenticate::class,
- 'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class,
- 'bindings' => \Illuminate\Routing\Middleware\SubstituteBindings::class,
- 'can' => \Illuminate\Auth\Middleware\Authorize::class,
- 'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class,
- 'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
+ 'auth' => \Illuminate\Auth\Middleware\Authenticate::class,
+ 'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class,
+ 'bindings' => \Illuminate\Routing\Middleware\SubstituteBindings::class,
+ 'can' => \Illuminate\Auth\Middleware\Authorize::class,
+ 'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class,
+ 'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
+ 'referer.check' => \App\Http\Middleware\RefererCheck::class,
];
}
diff --git a/app/Http/Middleware/RefererCheck.php b/app/Http/Middleware/RefererCheck.php
new file mode 100644
index 000000000..b0beae57f
--- /dev/null
+++ b/app/Http/Middleware/RefererCheck.php
@@ -0,0 +1,26 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+
+class RefererCheck
+{
+ /**
+ * Handle an incoming request.
+ *
+ * @param \Illuminate\Http\Request $request
+ * @param \Closure $next
+ * @return mixed
+ */
+ public function handle($request, Closure $next)
+ {
+ $refererCorrect = env('referer_check');
+ $referer = $request->server('HTTP_REFERER');
+ if ($refererCorrect !== $referer) {
+ abort(403, 'Unauthorized');
+ } else {
+ return $next($request);
+ }
+ }
+}
diff --git a/resources/views/errors/403.blade.php b/resources/views/errors/403.blade.php
new file mode 100644
index 000000000..645d11f96
--- /dev/null
+++ b/resources/views/errors/403.blade.php
@@ -0,0 +1,8 @@
+@extends('layouts.subPages')
+
+@section('title', 'Fehler 403 - Unautorisiert')
+
+@section('content')
+<h1>Unautorisiert</h1>
+<p>Sie haben leider keine Rechte auf dieses Dokument zuzugreifen.</p>
+@endsection
diff --git a/routes/web.php b/routes/web.php
index 630d9f442..1f35c2a80 100644
--- a/routes/web.php
+++ b/routes/web.php
@@ -127,10 +127,12 @@ Route::group(
->with('navbarFocus', 'dienste');
});
- Route::get('admin', 'AdminInterface@index');
- Route::get('admin/count', 'AdminInterface@count');
- Route::get('admin/check', 'AdminInterface@check');
- Route::get('admin/engines', 'AdminInterface@engines');
+ Route::group(['middleware' => ['referer.check'], 'prefix' => 'admin'], function () {
+ Route::get('/', 'AdminInterface@index');
+ Route::get('count', 'AdminInterface@count');
+ Route::get('check', 'AdminInterface@check');
+ Route::get('engines', 'AdminInterface@engines');
+ });
Route::get('settings', 'StartpageController@loadSettings');
--
GitLab