api/app/Http/Middleware/LimitWikiAccess.php at 4139fb6510669c94f23a990d4d65f7d8711a6d7c · wbstack/api · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
<?php

namespace App\Http\Middleware;

use Closure;
use Illuminate\Http\Request;
use Symfony\Component\HttpFoundation\Response;
use App\Wiki;

class LimitWikiAccess
{
    /**
     * Reject any incoming request unless the user is a manager of the
     * requested wiki. If the user is authorized, inject the wiki
     * object into the request context.
     */
    public function handle(Request $request, Closure $next): Response
    {
        $validatedInput = $request->validate([
            'wiki' => ['required', 'integer']
        ]);

        $wiki = Wiki::find($validatedInput['wiki']);

        if (!$wiki) {
            abort(404, 'No such wiki');
        }

        $wikiManager = $wiki->wikiManagers()
            ->where('user_id', $request->user()?->id)
            ->first();

        if (!$wikiManager) {
            abort(403);
        }

        $request->attributes->set('wiki', $wiki);
        return $next($request);
    }
}