Put some api calls behind admin access

2026-05-02 19:15:40 +02:00
parent 931bd27c65
commit 654b55a2a4
2 changed files with 95 additions and 5 deletions
--- a/backend/src/router.rs
+++ b/backend/src/router.rs
@@ -7,7 +7,7 @@ use axum::{

 use crate::{
    AppState,
-    cookie::validation::validate_token,
+    cookie::validation::{validate_admin, validate_token},
    handlers::{
        auth::{
            create_user, delete_user, get_current_user, get_user_by_id, get_users, login, logout,
@@ -18,9 +18,7 @@ use crate::{
 };

 pub fn create_router(state: Arc<AppState>) -> Router {
-    let protected_routes = Router::new()
-        .route("/api/tickets", get(get_tickets))
-        .route("/api/tickets/create", post(create_ticket))
+    let admin_routes = Router::new()
        .route(
            "/api/tickets/{id}",
            get(get_ticket_by_id)
@@ -28,13 +26,22 @@ pub fn create_router(state: Arc<AppState>) -> Router {
                .patch(edit_ticket),
        )
        .route("/api/register", post(create_user))
-        .route("/api/logout", get(logout))
        .route("/api/users", get(get_users))
        .route("/api/users/current", get(get_current_user))
        .route(
            "/api/users/{id}",
            get(get_user_by_id).delete(delete_user).patch(update_user),
        )
+        .layer(middleware::from_fn_with_state(
+            state.clone(),
+            validate_admin,
+        ));
+
+    let protected_routes = Router::new()
+        .merge(admin_routes)
+        .route("/api/tickets", get(get_tickets))
+        .route("/api/tickets/create", post(create_ticket))
+        .route("/api/logout", get(logout))
        .layer(middleware::from_fn_with_state(
            state.clone(),
            validate_token,