add isAdmin user helper, protect users unless isAdmin

Gareth Redfern · Gareth Redfern · commit a0234ae9b19d · 2021-01-15T21:06:58.000Z
diff --git a/app/Http/Controllers/UserController.php b/app/Http/Controllers/UserController.php
@@ -5,6 +5,7 @@
 use App\Models\User;
 use Illuminate\Http\Request;
 use App\Http\Resources\UserResource;
+use Illuminate\Support\Facades\Auth;
 
 class UserController extends Controller
 {
@@ -15,7 +16,10 @@ class UserController extends Controller
      */
     public function index()
     {
-        return UserResource::collection(User::paginate());
+        if (Auth::user()->isAdmin()) {
+            return UserResource::collection(User::paginate());
+        }
+        return  response()->json(["message" => "Forbidden"], 403);
     }
 
     /**
@@ -37,7 +41,10 @@ public function store(Request $request)
      */
     public function show(User $user)
     {
-        return new UserResource($user);
+        if (Auth::user()->isAdmin()) {
+          return new UserResource($user);
+        }
+        return  response()->json(["message" => "Forbidden"], 403);
     }
 
     /**
diff --git a/app/Models/User.php b/app/Models/User.php
@@ -40,6 +40,12 @@ class User extends Authenticatable implements MustVerifyEmail
      * @var array
      */
     protected $casts = [
+        'is_admin' => 'boolean',
         'email_verified_at' => 'datetime',
     ];
+
+    public function isAdmin(): bool
+    {
+      return $this->is_admin;
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,7 @@`
`5`	`5`	`use App\Models\User;`
`6`	`6`	`use Illuminate\Http\Request;`
`7`	`7`	`use App\Http\Resources\UserResource;`
	`8`	`+use Illuminate\Support\Facades\Auth;`
`8`	`9`
`9`	`10`	`class UserController extends Controller`
`10`	`11`	`{`
`@@ -15,7 +16,10 @@ class UserController extends Controller`
`15`	`16`	`*/`
`16`	`17`	`public function index()`
`17`	`18`	`{`
`18`		`- return UserResource::collection(User::paginate());`
	`19`	`+ if (Auth::user()->isAdmin()) {`
	`20`	`+ return UserResource::collection(User::paginate());`
	`21`	`+ }`
	`22`	`+ return response()->json(["message" => "Forbidden"], 403);`
`19`	`23`	`}`
`20`	`24`
`21`	`25`	`/**`
`@@ -37,7 +41,10 @@ public function store(Request $request)`
`37`	`41`	`*/`
`38`	`42`	`public function show(User $user)`
`39`	`43`	`{`
`40`		`- return new UserResource($user);`
	`44`	`+ if (Auth::user()->isAdmin()) {`
	`45`	`+ return new UserResource($user);`
	`46`	`+ }`
	`47`	`+ return response()->json(["message" => "Forbidden"], 403);`
`41`	`48`	`}`
`42`	`49`
`43`	`50`	`/**`