Restrict access to admin routes

src/middlewares/auth_middleware.rs

@@ -7,6 +7,7 @@ use std::rc::Rc;
 use actix_identity::RequestIdentity;
 use actix_web::{dev::{forward_ready, Service, ServiceRequest, ServiceResponse, Transform}, Error, HttpResponse};
 use actix_web::body::EitherBody;
+use askama::Template;
 
 use crate::constants::{ADMIN_ROUTES, AUTHENTICATED_ROUTES, LOGIN_ROUTE};
 use crate::controllers::base_controller::redirect_user;
@@ -55,6 +56,10 @@ impl SessionStatus {
     }
 }
 
+#[derive(Template)]
+#[template(path = "access_denied.html")]
+struct AccessDeniedTemplate {}
+
 pub struct AuthInnerMiddleware<S> {
     service: Rc<S>,
 }
@@ -99,7 +104,12 @@ impl<S, B> Service<ServiceRequest> for AuthInnerMiddleware<S>
                     .map_into_right_body());
             }
 
-            // TODO : restrict access to admin pages
+            // Restrict access to admin pages
+            if !identity.is_admin() && req.path().starts_with(ADMIN_ROUTES) {
+                return Ok(req.into_response(HttpResponse::Unauthorized()
+                    .body(AccessDeniedTemplate {}.render().unwrap()))
+                    .map_into_right_body());
+            }
 
             service
                 .call(req)

templates/access_denied.html

@@ -0,0 +1,12 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <title>Access denied</title>
+
+    <link href="/assets/css/bootstrap.css" rel="stylesheet" crossorigin="anonymous"/>
+</head>
+<body>
+    <p>You are not allowed to access this resource.</p>
+</body>
+</html>