feat: security hardening (Fasa 10)

- EnsureIsAdmin middleware: gates all admin routes on is_admin flag
- Apply admin middleware to entire admin route group
- Fix questionnaire resource route parameter name mismatch ({set})
- Audit log on questionnaire confirmation

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

app/Http/Controllers/Admin/ProgramQuestionnaireController.php

@@ -6,6 +6,7 @@ use App\Http\Controllers\Controller;
 use App\Models\Program;
 use App\Models\ProgramQuestionnaire;
 use App\Models\QuestionnaireSet;
+use App\Services\AuditLogService;
 use Illuminate\Http\RedirectResponse;
 use Illuminate\Http\Request;
 use Illuminate\View\View;
@@ -63,6 +64,8 @@ class ProgramQuestionnaireController extends Controller
             'confirmed_by' => auth()->id(),
         ]);
 
+        AuditLogService::log('questionnaire.confirmed', $pq, [], ['program_id' => $program->id, 'questionnaire_set_id' => $pq->questionnaire_set_id]);
+
         return back()->with('success', 'Soalselidik telah disahkan untuk program ini.');
     }
 

app/Http/Middleware/EnsureIsAdmin.php

@@ -0,0 +1,19 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+use Illuminate\Http\Request;
+use Symfony\Component\HttpFoundation\Response;
+
+class EnsureIsAdmin
+{
+    public function handle(Request $request, Closure $next): Response
+    {
+        if (! $request->user()?->is_admin) {
+            abort(403, 'Akses ditolak.');
+        }
+
+        return $next($request);
+    }
+}

bootstrap/app.php

@@ -11,7 +11,9 @@ return Application::configure(basePath: dirname(__DIR__))
         health: '/up',
     )
     ->withMiddleware(function (Middleware $middleware): void {
-        //
+        $middleware->alias([
+            'admin' => \App\Http\Middleware\EnsureIsAdmin::class,
+        ]);
     })
     ->withExceptions(function (Exceptions $exceptions): void {
         //

routes/web.php

@@ -24,7 +24,7 @@ Route::get('/', fn() => redirect()->route('admin.dashboard'));
 // ──────────────────────────────────────────────
 // Admin Routes
 // ──────────────────────────────────────────────
-Route::middleware('auth')->prefix('admin')->name('admin.')->group(function () {
+Route::middleware(['auth', 'admin'])->prefix('admin')->name('admin.')->group(function () {
 
     Route::get('/dashboard', [DashboardController::class, 'index'])->name('dashboard');
 
@@ -84,7 +84,7 @@ Route::middleware('auth')->prefix('admin')->name('admin.')->group(function () {
     });
 
     // Questionnaire Sets
-    Route::resource('questionnaires', QuestionnaireSetController::class)->except(['show']);
+    Route::resource('questionnaires', QuestionnaireSetController::class)->except(['show'])->parameters(['questionnaires' => 'set']);
     Route::post('/questionnaires/{set}/publish',  [QuestionnaireSetController::class, 'publish'])->name('questionnaires.publish');
     Route::post('/questionnaires/{set}/archive',  [QuestionnaireSetController::class, 'archive'])->name('questionnaires.archive');
     Route::get('/questionnaires/{set}',           [QuestionnaireSetController::class, 'show'])->name('questionnaires.show');