fix premission error

app/Http/Middleware/AdminAuthenticate.php

@@ -4,6 +4,7 @@
 
 namespace App\Http\Middleware;
 
+use App\Constants\ErrorCode;
 use Closure;
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\Auth;
@@ -13,15 +14,24 @@ class AdminAuthenticate
 {
     public function handle(Request $request, Closure $next): Response
     {
+        // 检查是否已登录
         if (!Auth::guard('admin')->check()) {
             return response()->json([
-                'error' => 'unauthorized',
+                'error' => ErrorCode::UNAUTHORIZED,
                 'message' => '未授权，请先登录。',
-            ], 401);
+            ], Response::HTTP_UNAUTHORIZED);
         }
 
         $admin = Auth::guard('admin')->user();
 
+        // 检查是否是管理员
+        if (!$admin || !in_array($admin->role, ['super', 'admin'])) {
+            return response()->json([
+                'error' => ErrorCode::FORBIDDEN,
+                'message' => '无权访问管理员资源。',
+            ], Response::HTTP_FORBIDDEN);
+        }
+
         // Add admin information to the request
         $request->merge(['admin' => $admin]);
 

app/Http/Middleware/ValidateAccessToken.php

@@ -4,6 +4,7 @@
 
 namespace App\Http\Middleware;
 
+use App\Constants\ErrorCode;
 use App\Services\Auth\TokenService;
 use Closure;
 use Illuminate\Http\Request;
@@ -17,22 +18,30 @@ public function __construct(
 
     public function handle(Request $request, Closure $next): Response
     {
+        // 禁止访问管理员路由
+        if (str_starts_with($request->path(), 'api/admin')) {
+            return response()->json([
+                'error' => ErrorCode::FORBIDDEN,
+                'message' => '客户用户无权访问管理员资源。',
+            ], Response::HTTP_FORBIDDEN);
+        }
+
         $bearerToken = $request->bearerToken();
 
         if (!$bearerToken) {
             return response()->json([
-                'error' => 'unauthorized',
+                'error' => ErrorCode::UNAUTHORIZED,
                 'message' => '未授权，令牌无效或未提供。',
-            ], 401);
+            ], Response::HTTP_UNAUTHORIZED);
         }
 
         $tokenData = $this->tokenService->validateAccessToken($bearerToken);
 
         if (!$tokenData) {
             return response()->json([
-                'error' => 'unauthorized',
+                'error' => ErrorCode::UNAUTHORIZED,
                 'message' => '访问令牌无效或已过期。',
-            ], 401);
+            ], Response::HTTP_UNAUTHORIZED);
         }
 
         // Add client information to the request for later use

routes/api.php

@@ -15,11 +15,13 @@
     Route::post('/llm/request', [LlmController::class, 'request']);
 });
 
-// Admin authentication routes
-Route::middleware(['auth:sanctum', 'admin'])->prefix('admin')->group(function () {
+// Admin routes
+Route::prefix('admin')->group(function () {
+    // Admin auth routes (public)
     Route::post('login', [AdminAuthController::class, 'login']);
 
-    Route::middleware('auth.admin')->group(function () {
+    // Protected admin routes
+    Route::middleware(['auth:sanctum', 'auth.admin'])->group(function () {
         Route::post('logout', [AdminAuthController::class, 'logout']);
         Route::post('change-password', [AdminAuthController::class, 'changePassword']);