Merge branch '430-confidential-issue' into 'development'

Alle Admin Unterseiten sind nur noch zugänglich, wenn man autorisiert ist

Closes #430

See merge request !705

app/Http/Kernel.php

@@ -47,11 +47,12 @@ class Kernel extends HttpKernel
      * @var array
      */
     protected $routeMiddleware = [
-        'auth'       => \Illuminate\Auth\Middleware\Authenticate::class,
-        'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class,
-        'bindings'   => \Illuminate\Routing\Middleware\SubstituteBindings::class,
-        'can'        => \Illuminate\Auth\Middleware\Authorize::class,
-        'guest'      => \App\Http\Middleware\RedirectIfAuthenticated::class,
-        'throttle'   => \Illuminate\Routing\Middleware\ThrottleRequests::class,
+        'auth'          => \Illuminate\Auth\Middleware\Authenticate::class,
+        'auth.basic'    => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class,
+        'bindings'      => \Illuminate\Routing\Middleware\SubstituteBindings::class,
+        'can'           => \Illuminate\Auth\Middleware\Authorize::class,
+        'guest'         => \App\Http\Middleware\RedirectIfAuthenticated::class,
+        'throttle'      => \Illuminate\Routing\Middleware\ThrottleRequests::class,
+        'referer.check' => \App\Http\Middleware\RefererCheck::class,
     ];
 }

app/Http/Middleware/RefererCheck.php

+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+
+class RefererCheck
+{
+    /**
+     * Handle an incoming request.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  \Closure  $next
+     * @return mixed
+     */
+    public function handle($request, Closure $next)
+    {
+        $refererCorrect = env('referer_check');
+        $referer        = $request->server('HTTP_REFERER');
+        if ($refererCorrect !== $referer) {
+            abort(403, 'Unauthorized');
+        } else {
+            return $next($request);
+        }
+    }
+}

resources/views/errors/403.blade.php

+@extends('layouts.subPages')
+
+@section('title', 'Fehler 403 - Unautorisiert')
+
+@section('content')
+<h1>Unautorisiert</h1>
+<p>Sie haben leider keine Rechte auf dieses Dokument zuzugreifen.</p>
+@endsection

routes/web.php

@@ -127,10 +127,12 @@ Route::group(
                 ->with('navbarFocus', 'dienste');
         });
 
-        Route::get('admin', 'AdminInterface@index');
-        Route::get('admin/count', 'AdminInterface@count');
-        Route::get('admin/check', 'AdminInterface@check');
-        Route::get('admin/engines', 'AdminInterface@engines');
+        Route::group(['middleware' => ['referer.check'], 'prefix' => 'admin'], function () {
+            Route::get('/', 'AdminInterface@index');
+            Route::get('count', 'AdminInterface@count');
+            Route::get('check', 'AdminInterface@check');
+            Route::get('engines', 'AdminInterface@engines');
+        });
 
         Route::get('settings', 'StartpageController@loadSettings');