From aea201fcba0cc89f09f1ef8555ab00de275752ab Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Sat, 28 Mar 2026 12:24:40 +0100
Subject: [PATCH] refactor: move admin route into middleware group and harden
 authorization

Move the admin panel route into the existing auth middleware group and
replace client-side redirects with server-side abort calls in the
Livewire component. Extract shared authorization logic into reusable
private methods.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 app/Livewire/Admin/Index.php                  |  31 +++--
 routes/web.php                                |   3 +-
 .../Feature/AdminAccessAuthorizationTest.php  | 118 ++++++++++++++++++
 3 files changed, 141 insertions(+), 11 deletions(-)
 create mode 100644 tests/Feature/AdminAccessAuthorizationTest.php

diff --git a/app/Livewire/Admin/Index.php b/app/Livewire/Admin/Index.php
index b5f6d2929..d1345e7bf 100644
--- a/app/Livewire/Admin/Index.php
+++ b/app/Livewire/Admin/Index.php
@@ -6,7 +6,6 @@
 use App\Models\User;
 use Illuminate\Support\Collection;
 use Illuminate\Support\Facades\Auth;
-use Illuminate\Support\Facades\Cache;
 use Livewire\Component;
 
 class Index extends Component
@@ -22,16 +21,15 @@ class Index extends Component
     public function mount()
     {
         if (! isCloud() && ! isDev()) {
-            return redirect()->route('dashboard');
-        }
-        if (Auth::id() !== 0 && ! session('impersonating')) {
-            return redirect()->route('dashboard');
+            abort(403);
         }
+        $this->authorizeAdminAccess();
         $this->getSubscribers();
     }
 
     public function back()
     {
+        $this->authorizeAdminAccess();
         if (session('impersonating')) {
             session()->forget('impersonating');
             $user = User::find(0);
@@ -45,6 +43,7 @@ public function back()
 
     public function submitSearch()
     {
+        $this->authorizeAdminAccess();
         if ($this->search !== '') {
             $this->foundUsers = User::where(function ($query) {
                 $query->where('name', 'like', "%{$this->search}%")
@@ -61,19 +60,33 @@ public function getSubscribers()
 
     public function switchUser(int $user_id)
     {
-        if (Auth::id() !== 0) {
-            return redirect()->route('dashboard');
-        }
+        $this->authorizeRootOnly();
         session(['impersonating' => true]);
         $user = User::find($user_id);
+        if (! $user) {
+            abort(404);
+        }
         $team_to_switch_to = $user->teams->first();
-        // Cache::forget("team:{$user->id}");
         Auth::login($user);
         refreshSession($team_to_switch_to);
 
         return redirect(request()->header('Referer'));
     }
 
+    private function authorizeAdminAccess(): void
+    {
+        if (! Auth::check() || (Auth::id() !== 0 && ! session('impersonating'))) {
+            abort(403);
+        }
+    }
+
+    private function authorizeRootOnly(): void
+    {
+        if (! Auth::check() || Auth::id() !== 0) {
+            abort(403);
+        }
+    }
+
     public function render()
     {
         return view('livewire.admin.index');
diff --git a/routes/web.php b/routes/web.php
index dfb44324c..a82fcc19e 100644
--- a/routes/web.php
+++ b/routes/web.php
@@ -90,8 +90,6 @@
 use Illuminate\Support\Facades\Storage;
 use Symfony\Component\HttpFoundation\StreamedResponse;
 
-Route::get('/admin', AdminIndex::class)->name('admin.index');
-
 Route::post('/forgot-password', [Controller::class, 'forgot_password'])->name('password.forgot')->middleware('throttle:forgot-password');
 Route::get('/realtime', [Controller::class, 'realtime_test'])->middleware('auth');
 Route::get('/verify', [Controller::class, 'verify'])->middleware('auth')->name('verify.email');
@@ -109,6 +107,7 @@
     });
 
     Route::get('/', Dashboard::class)->name('dashboard');
+    Route::get('/admin', AdminIndex::class)->name('admin.index');
     Route::get('/onboarding', BoardingIndex::class)->name('onboarding');
 
     Route::get('/subscription', SubscriptionShow::class)->name('subscription.show');
diff --git a/tests/Feature/AdminAccessAuthorizationTest.php b/tests/Feature/AdminAccessAuthorizationTest.php
new file mode 100644
index 000000000..4840bc4dd
--- /dev/null
+++ b/tests/Feature/AdminAccessAuthorizationTest.php
@@ -0,0 +1,118 @@
+<?php
+
+use App\Livewire\Admin\Index as AdminIndex;
+use App\Models\Team;
+use App\Models\User;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Livewire\Livewire;
+
+uses(RefreshDatabase::class);
+
+test('unauthenticated user cannot access admin route', function () {
+    $response = $this->get('/admin');
+
+    $response->assertRedirect('/login');
+});
+
+test('authenticated non-root user gets 403 on admin page', function () {
+    $team = Team::factory()->create();
+    $user = User::factory()->create();
+    $team->members()->attach($user->id, ['role' => 'admin']);
+
+    $this->actingAs($user);
+    session(['currentTeam' => ['id' => $team->id]]);
+
+    Livewire::test(AdminIndex::class)
+        ->assertForbidden();
+});
+
+test('root user can access admin page in cloud mode', function () {
+    config()->set('constants.coolify.self_hosted', false);
+
+    $rootTeam = Team::find(0) ?? Team::factory()->create(['id' => 0]);
+    $rootUser = User::factory()->create(['id' => 0]);
+    $rootTeam->members()->attach($rootUser->id, ['role' => 'admin']);
+
+    $this->actingAs($rootUser);
+    session(['currentTeam' => ['id' => $rootTeam->id]]);
+
+    Livewire::test(AdminIndex::class)
+        ->assertOk();
+});
+
+test('root user gets 403 on admin page in self-hosted non-dev mode', function () {
+    config()->set('constants.coolify.self_hosted', true);
+    config()->set('app.env', 'production');
+
+    $rootTeam = Team::find(0) ?? Team::factory()->create(['id' => 0]);
+    $rootUser = User::factory()->create(['id' => 0]);
+    $rootTeam->members()->attach($rootUser->id, ['role' => 'admin']);
+
+    $this->actingAs($rootUser);
+    session(['currentTeam' => ['id' => $rootTeam->id]]);
+
+    Livewire::test(AdminIndex::class)
+        ->assertForbidden();
+});
+
+test('submitSearch requires admin authorization', function () {
+    $team = Team::factory()->create();
+    $user = User::factory()->create();
+    $team->members()->attach($user->id, ['role' => 'admin']);
+
+    $this->actingAs($user);
+    session(['currentTeam' => ['id' => $team->id]]);
+
+    Livewire::test(AdminIndex::class)
+        ->assertForbidden();
+});
+
+test('switchUser requires root user id 0', function () {
+    config()->set('constants.coolify.self_hosted', false);
+
+    $rootTeam = Team::find(0) ?? Team::factory()->create(['id' => 0]);
+    $rootUser = User::factory()->create(['id' => 0]);
+    $rootTeam->members()->attach($rootUser->id, ['role' => 'admin']);
+
+    $targetUser = User::factory()->create();
+    $targetTeam = Team::factory()->create();
+    $targetTeam->members()->attach($targetUser->id, ['role' => 'admin']);
+
+    $this->actingAs($rootUser);
+    session(['currentTeam' => ['id' => $rootTeam->id]]);
+
+    Livewire::test(AdminIndex::class)
+        ->assertOk()
+        ->call('switchUser', $targetUser->id)
+        ->assertRedirect();
+});
+
+test('switchUser rejects non-root user', function () {
+    config()->set('constants.coolify.self_hosted', false);
+
+    $team = Team::factory()->create();
+    $user = User::factory()->create();
+    $team->members()->attach($user->id, ['role' => 'admin']);
+
+    // Must set impersonating session to bypass mount() check
+    $this->actingAs($user);
+    session([
+        'currentTeam' => ['id' => $team->id],
+        'impersonating' => true,
+    ]);
+
+    Livewire::test(AdminIndex::class)
+        ->call('switchUser', 999)
+        ->assertForbidden();
+});
+
+test('admin route has auth middleware applied', function () {
+    $route = collect(app('router')->getRoutes()->getRoutesByName())
+        ->get('admin.index');
+
+    expect($route)->not->toBeNull();
+
+    $middleware = $route->gatherMiddleware();
+
+    expect($middleware)->toContain('auth');
+});