Restrict system routes to administrators

2025-03-06 03:01:20 +01:00 · 2025-02-27 08:41:06 +01:00 · 2025-02-27 08:41:06 +01:00 · 47a13b891d
commit 47a13b891d
parent f3945463b7
2 changed files with 35 additions and 7 deletions
--- a/routes/web.php
+++ b/routes/web.php
@ -90,12 +90,11 @@
 Route::group(['middleware' => ['behind-auth', 'admin']], function () {
    Route::get('system/infos', [SystemController::class, 'infos'])->name('system.infos');
    Route::post('system/test-email', [SystemController::class, 'testEmail'])->name('system.testEmail');
+    Route::get('system/latestRelease', [SystemController::class, 'latestRelease'])->name('system.latestRelease');
+    Route::get('system/optimize', [SystemController::class, 'optimize'])->name('system.optimize');
+    Route::get('system/clear-cache', [SystemController::class, 'clear'])->name('system.clear');
 });

-Route::get('system/optimize', [SystemController::class, 'optimize'])->name('system.optimize');
-Route::get('system/clear-cache', [SystemController::class, 'clear'])->name('system.clear');
-Route::get('system/latestRelease', [SystemController::class, 'latestRelease'])->name('system.latestRelease');
-
 Route::get('refresh-csrf', function () {
    return csrf_token();
 });
--- a/tests/Feature/Http/SystemControllerTest.php
+++ b/tests/Feature/Http/SystemControllerTest.php
@ -103,13 +103,22 @@ public function test_latestrelease_runs_manual_scan()
            ->once()
            ->andReturn('new_release');

-        $response = $this->json('GET', '/system/latestRelease')
+        $response = $this->actingAs($this->admin, 'web-guard')
+            ->json('GET', '/system/latestRelease')
            ->assertOk()
            ->assertJson([
                'newRelease' => 'new_release',
            ]);
    }

+    #[Test]
+    public function test_latestrelease_is_forbidden_to_user()
+    {
+        $response = $this->actingAs($this->user, 'web-guard')
+            ->json('GET', '/system/latestRelease')
+            ->assertForbidden();
+    }
+
    #[Test]
    public function test_testEmail_sends_a_notification()
    {
@ -156,16 +165,36 @@ public function test_testEmail_returns_success_even_if_sending_fails()
    #[Test]
    public function test_clearCache_returns_success()
    {
-        $response = $this->json('GET', '/system/clear-cache');
+        $response = $this->actingAs($this->admin, 'web-guard')
+            ->json('GET', '/system/clear-cache');

        $response->assertStatus(200);
    }

+    #[Test]
+    public function test_clearCache_is_forbidden_to_user()
+    {
+        $response = $this->actingAs($this->user, 'web-guard')
+            ->json('GET', '/system/clear-cache');
+
+        $response->assertForbidden();
+    }
+
    #[Test]
    public function test_optimize_returns_success()
    {
-        $response = $this->json('GET', '/system/optimize');
+        $response = $this->actingAs($this->admin, 'web-guard')
+            ->json('GET', '/system/optimize');

        $response->assertStatus(200);
    }
+
+    #[Test]
+    public function test_optimize_is_forbidden_to_user()
+    {
+        $response = $this->actingAs($this->user, 'web-guard')
+            ->json('GET', '/system/optimize');
+
+        $response->assertForbidden();
+    }
 }