Restrict system routes to administrators

Bubka · Mar 3, 2025 · 47a13b8 · 47a13b8
1 parent f394546
commit 47a13b8
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 7 deletions.
diff --git a/routes/web.php b/routes/web.php
@@ -90,12 +90,11 @@
 Route::group(['middleware' => ['behind-auth', 'admin']], function () {
     Route::get('system/infos', [SystemController::class, 'infos'])->name('system.infos');
     Route::post('system/test-email', [SystemController::class, 'testEmail'])->name('system.testEmail');
+    Route::get('system/latestRelease', [SystemController::class, 'latestRelease'])->name('system.latestRelease');
+    Route::get('system/optimize', [SystemController::class, 'optimize'])->name('system.optimize');
+    Route::get('system/clear-cache', [SystemController::class, 'clear'])->name('system.clear');
 });
 
-Route::get('system/optimize', [SystemController::class, 'optimize'])->name('system.optimize');
-Route::get('system/clear-cache', [SystemController::class, 'clear'])->name('system.clear');
-Route::get('system/latestRelease', [SystemController::class, 'latestRelease'])->name('system.latestRelease');
-
 Route::get('refresh-csrf', function () {
     return csrf_token();
 });

diff --git a/tests/Feature/Http/SystemControllerTest.php b/tests/Feature/Http/SystemControllerTest.php
@@ -103,13 +103,22 @@ public function test_latestrelease_runs_manual_scan()
             ->once()
             ->andReturn('new_release');
 
-        $response = $this->json('GET', '/system/latestRelease')
+        $response = $this->actingAs($this->admin, 'web-guard')
+            ->json('GET', '/system/latestRelease')
             ->assertOk()
             ->assertJson([
                 'newRelease' => 'new_release',
             ]);
     }
 
+    #[Test]
+    public function test_latestrelease_is_forbidden_to_user()
+    {
+        $response = $this->actingAs($this->user, 'web-guard')
+            ->json('GET', '/system/latestRelease')
+            ->assertForbidden();
+    }
+
     #[Test]
     public function test_testEmail_sends_a_notification()
     {
@@ -156,16 +165,36 @@ public function test_testEmail_returns_success_even_if_sending_fails()
     #[Test]
     public function test_clearCache_returns_success()
     {
-        $response = $this->json('GET', '/system/clear-cache');
+        $response = $this->actingAs($this->admin, 'web-guard')
+            ->json('GET', '/system/clear-cache');
 
         $response->assertStatus(200);
     }
 
+    #[Test]
+    public function test_clearCache_is_forbidden_to_user()
+    {
+        $response = $this->actingAs($this->user, 'web-guard')
+            ->json('GET', '/system/clear-cache');
+
+        $response->assertForbidden();
+    }
+
     #[Test]
     public function test_optimize_returns_success()
     {
-        $response = $this->json('GET', '/system/optimize');
+        $response = $this->actingAs($this->admin, 'web-guard')
+            ->json('GET', '/system/optimize');
 
         $response->assertStatus(200);
     }
+
+    #[Test]
+    public function test_optimize_is_forbidden_to_user()
+    {
+        $response = $this->actingAs($this->user, 'web-guard')
+            ->json('GET', '/system/optimize');
+
+        $response->assertForbidden();
+    }
 }