1 files changed, 43 insertions, 0 deletions

diff --git a/app/Http/Middleware/Admin.php b/app/Http/Middleware/Admin.php
new file mode 100644
index 0000000..65fba8c
--- /dev/null
+++ b/app/Http/Middleware/Admin.php
@@ -0,0 +1,43 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+use Illuminate\Http\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Illuminate\Support\Facades\Auth;
+use Illuminate\Support\Facades\Cache;
+use Illuminate\Support\Facades\Notification;
+use App\Notifications\AdminAccessNotification;
+use Illuminate\Notifications\AnonymousNotifiable;
+
+class Admin
+{
+    /**
+     * Ensure the authenticated user is an admin (role == 0).
+     */
+    public function handle(Request $request, Closure $next): Response
+    {
+        if (!Auth::check() || !Auth::user()->isAdmin()) {
+            abort(403, 'Unauthorized');
+        }
+
+        // Notify admin email of access — throttled to once per 15 minutes per user+IP
+        $adminEmail = config('app.admin_notify_email');
+        if ($adminEmail) {
+            $cacheKey = 'admin_notify:' . Auth::id() . ':' . $request->ip();
+            if (!Cache::has($cacheKey)) {
+                Notification::route('mail', $adminEmail)->notify(
+                    new AdminAccessNotification(
+                        Auth::user()->name,
+                        $request->ip(),
+                        $request->header('User-Agent', 'unknown')
+                    )
+                );
+                Cache::put($cacheKey, true, now()->addMinutes(15));
+            }
+        }
+
+        return $next($request);
+    }
+}