Fix #30 Remove APP_EVERYONE_IS_ADMIN

flexiapi/.env.example

@@ -11,7 +11,6 @@ APP_FLEXISIP_PUSHER_PATH=
 APP_API_KEY_EXPIRATION_MINUTES=60 # Number of minutes the generated API Keys are valid
 
 # Risky toggles
-APP_EVERYONE_IS_ADMIN=false # Allow any accounts to request the API as an administrator
 APP_ADMINS_MANAGE_MULTI_DOMAINS=false # Allow admins to handle all the accounts in the database
 APP_DANGEROUS_ENDPOINTS=false # Enable some dangerous endpoints used for XMLRPC like fallback usage
 

flexiapi/app/Http/Middleware/AuthenticateAdmin.php

@@ -19,7 +19,7 @@ class AuthenticateAdmin
             return redirect()->route('account.login');
         }
 
-        if (!$request->user()->isAdmin() && !config('app.everyone_is_admin')) {
+        if (!$request->user()->isAdmin()) {
             return abort(403, 'Unauthorized area');
         }
 

flexiapi/config/app.php

@@ -54,13 +54,6 @@ return [
      */
     'realm' => env('ACCOUNT_REALM', null),
 
-    /**
-     * Allow any accounts to request the API as an administrator
-     * This parameter is only the for debug purpose or running the tests
-     * DO NOT ENABLE IT IN PRODUCTION
-     */
-    'everyone_is_admin' => env('APP_EVERYONE_IS_ADMIN', false),
-
     /**
      * Allow admins to handle all the accounts in the database
      * ENABLE IT AT YOUR OWN RISKS IN PRODUCTION

flexiapi/tests/Feature/AccountApiTest.php

@@ -52,15 +52,6 @@ class AccountApiTest extends TestCase
                           ->json($this->method, $this->route);
 
         $response1->assertStatus(403);
-
-        config()->set('app.everyone_is_admin', true);
-
-        $password = Password::factory()->create();
-        $response0 = $this->generateFirstResponse($password);
-        $response1 = $this->generateSecondResponse($password, $response0)
-                          ->json($this->method, $this->route);
-
-        $response1->assertStatus(422);
     }
 
     public function testAdminOk()