namespace BookStack\Http\Middleware;
+use BookStack\Exceptions\ApiAuthException;
use BookStack\Exceptions\UnauthorizedException;
use Closure;
use Illuminate\Http\Request;
{
// Return if the user is already found to be signed in via session-based auth.
// This is to make it easy to browser the API via browser after just logging into the system.
- if (signedInUser()) {
+ if (signedInUser() || session()->isStarted()) {
$this->ensureEmailConfirmedIfRequested();
+ if (!user()->can('access-api')) {
+ throw new ApiAuthException(trans('errors.api_user_no_api_permission'), 403);
+ }
return;
}