[4.x] Use RedirectIfAuthorized middleware on password reset & activat…

…e pages (#9053) Co-authored-by: Duncan McClean <[email protected]> Co-authored-by: Jason Varga <[email protected]>
statamic · Nov 27, 2023 · 952dacb · 952dacb
1 parent 1d14155
commit 952dacb
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 5 deletions.
diff --git a/src/Http/Controllers/ActivateAccountController.php b/src/Http/Controllers/ActivateAccountController.php
@@ -4,9 +4,15 @@
 
 use Illuminate\Support\Facades\Password;
 use Statamic\Auth\Passwords\PasswordReset;
+use Statamic\Http\Middleware\CP\RedirectIfAuthorized;
 
 class ActivateAccountController extends ResetPasswordController
 {
+    public function __construct()
+    {
+        $this->middleware(RedirectIfAuthorized::class);
+    }
+
     protected function resetFormAction()
     {
         return route('statamic.account.activate.action');

diff --git a/src/Http/Controllers/ResetPasswordController.php b/src/Http/Controllers/ResetPasswordController.php
@@ -8,15 +8,15 @@
 use Statamic\Auth\Passwords\PasswordReset;
 use Statamic\Auth\ResetsPasswords;
 use Statamic\Contracts\Auth\User;
-use Statamic\Http\Middleware\RedirectIfAuthenticated;
+use Statamic\Http\Middleware\CP\RedirectIfAuthorized;
 
 class ResetPasswordController extends Controller
 {
     use ResetsPasswords;
 
     public function __construct()
     {
-        $this->middleware(RedirectIfAuthenticated::class);
+        $this->middleware(RedirectIfAuthorized::class);
     }
 
     public function showResetForm(Request $request, $token = null)

diff --git a/src/Http/Middleware/CP/RedirectIfAuthorized.php b/src/Http/Middleware/CP/RedirectIfAuthorized.php
@@ -3,6 +3,7 @@
 namespace Statamic\Http\Middleware\CP;
 
 use Closure;
+use Illuminate\Support\Facades\Auth;
 use Statamic\Facades\User;
 
 class RedirectIfAuthorized
@@ -16,10 +17,14 @@ class RedirectIfAuthorized
      */
     public function handle($request, Closure $next, $guard = null)
     {
-        if (User::current()) {
-            return redirect(cp_route('index'));
+        if (! Auth::guard($guard)->check()) {
+            return $next($request);
         }
 
-        return $next($request);
+        $user = User::current();
+
+        $url = $user->can('access cp') ? cp_route('index') : '/';
+
+        return redirect($url)->withError(__("You can't do this while logged in"));
     }
 }