1 files changed, 56 insertions, 0 deletions

diff --git a/app/Middleware/AuthenticationMiddleware.php b/app/Middleware/AuthenticationMiddleware.php
new file mode 100644
index 00000000..a31198a5
--- /dev/null
+++ b/app/Middleware/AuthenticationMiddleware.php
@@ -0,0 +1,56 @@
+<?php
+
+namespace Kanboard\Middleware;
+
+use Kanboard\Core\Controller\AccessForbiddenException;
+use Kanboard\Core\Controller\BaseMiddleware;
+use Kanboard\Core\Security\Role;
+
+/**
+ * Class AuthenticationMiddleware
+ *
+ * @package Kanboard\Middleware
+ * @author  Frederic Guillot
+ */
+class AuthenticationMiddleware extends BaseMiddleware
+{
+    /**
+     * Execute middleware
+     */
+    public function execute()
+    {
+        if (! $this->authenticationManager->checkCurrentSession()) {
+            throw AccessForbiddenException::getInstance()->withoutLayout();
+        }
+
+        if (! $this->isPublicAccess()) {
+            $this->handleAuthentication();
+        }
+
+        $this->next();
+    }
+
+    protected function handleAuthentication()
+    {
+        if (! $this->userSession->isLogged() && ! $this->authenticationManager->preAuthentication()) {
+            $this->setNextMiddleware(null);
+
+            if ($this->request->isAjax()) {
+                $this->response->text('Not Authorized', 401);
+            } else {
+                $this->sessionStorage->redirectAfterLogin = $this->request->getUri();
+                $this->response->redirect($this->helper->url->to('auth', 'login'));
+            }
+        }
+    }
+
+    private function isPublicAccess()
+    {
+        if ($this->applicationAuthorization->isAllowed($this->router->getController(), $this->router->getAction(), Role::APP_PUBLIC)) {
+            $this->setNextMiddleware(null);
+            return true;
+        }
+
+        return false;
+    }
+}