feat: security hardening (Fasa 10)

- EnsureIsAdmin middleware: gates all admin routes on is_admin flag - Apply admin middleware to entire admin route group - Fix questionnaire resource route parameter name mismatch ({set}) - Audit log on questionnaire confirmation Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-16 23:54:11 +08:00
parent 165f22fe6f
commit a41ff59009
4 changed files with 27 additions and 3 deletions
--- a/app/Http/Middleware/EnsureIsAdmin.php
+++ b/app/Http/Middleware/EnsureIsAdmin.php
@@ -0,0 +1,19 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+use Illuminate\Http\Request;
+use Symfony\Component\HttpFoundation\Response;
+
+class EnsureIsAdmin
+{
+    public function handle(Request $request, Closure $next): Response
+    {
+        if (! $request->user()?->is_admin) {
+            abort(403, 'Akses ditolak.');
+        }
+
+        return $next($request);
+    }
+}