Slim post method redirect does not Work with slim Middleware

Question

Hey guys i got some Problems with the Slim Middleware.

I created a Middleware that checks if the user is logged with Facebook and has a specific Email address. So now when i call the url with the PHPStorm RESTful Test tool i should not be able to post data to the server... But the Redirect does not work so i will be able to send data to the server.

/**
 * Admin Middleware
 *
 * Executed before /admin/ route
 */
$adminPageMiddleware = function ($request, $response, $next) {
    FBLoginCtrl::getInstance();
    $user = isset($_SESSION['user']) ? $_SESSION['user'] : new User();
    if (!($user->getEmail() == ADMIN_USER_EMAIL)) {
        $response = $response->withRedirect($this->router->pathFor('login'), 403);
    }
    $response = $next($request, $response);
    return $response;
};

/**
 * Milestone POST Method
 *
 * Create new Milestone
 */
$app->post('/admin/milestone', function (Request $request, Response     $response) use ($app) {
    $milestones = $request->getParsedBody();
    $milestones = isset($milestones[0]) ? $milestones :     array($milestones);
    foreach ($milestones as $milestone) {
        $ms = new Milestone();
        $msRepo = new MilestoneRepository($ms);
        $msRepo->setJsonData($milestone);
        if (!$msRepo->createMilestone()) {
            return $response->getBody()->write("Not Okay");
        };
    }
    return $response->getBody()->write("Okay");
})->add($adminPageMiddleware);

So can anyone give me a hint what the problem could be? I tried to add the same middleware to the get Route ... there it works :/ Strange stuff.

Answer 1

So now i ended up with this code:

class AdminRouteMiddleware
{
    public function __invoke($request, $response, $next)
    {
        FBLoginCtrl::getInstance();
        $user = isset($_SESSION['user']) ? $_SESSION['user'] : new User();
        if (!($user->getEmail() == ADMIN_USER_EMAIL)) {
            if ($_SERVER['REQUEST_METHOD'] == "GET") {
                $response = $response->withRedirect('/login', 403);//want to use the route name instead of the url
            } else {
                $response->getBody()->write('{"error":Access Denied"}');
            }
        } else {
            $response = $next($request, $response);
        }
        return $response;
    }
}



/**
 * Milestone POST Method
 *
 * Create new Milestone
 */
$app->post('/admin/milestone', function (Request $request, Response     $response) use ($app) {
    $milestones = $request->getParsedBody();
    $milestones = isset($milestones[0]) ? $milestones :     array($milestones);
    foreach ($milestones as $milestone) {
        $ms = new Milestone();
        $msRepo = new MilestoneRepository($ms);
        $msRepo->setJsonData($milestone);
        if (!$msRepo->createMilestone()) {
            return $response->getBody()->write("Not Okay");
        };
    }
    return $response->getBody()->write("Okay");
})->add(new AdminRouteMiddleware());

Answer 2

The problem is in your middleware logic.

if (!($user->getEmail() == ADMIN_USER_EMAIL)) {
    return $response->withRedirect($this->router->pathFor('login'), 403); //We do not want to continue execution
}
$response = $next($request, $response);
return $response;