ChurchCRM · DawoudIO · Nov 30, 2025 · Nov 29, 2025 · Nov 29, 2025 · Nov 29, 2025
@@ -15,7 +15,7 @@
 use ChurchCRM\Utils\RedirectUtils;
 
 // Security: User must have Manage Groups & Roles permission
-AuthenticationManager::redirectHomeIfFalse(AuthenticationManager::getCurrentUser()->isManageGroupsEnabled());
+AuthenticationManager::redirectHomeIfFalse(AuthenticationManager::getCurrentUser()->isManageGroupsEnabled(), 'ManageGroups');
 
 // Was the form submitted?
 if (isset($_POST['Submit']) && count($_SESSION['aPeopleCart']) > 0 && isset($_POST['EventID'])) {

@@ -10,7 +10,7 @@
 use ChurchCRM\Utils\RedirectUtils;
 
 // Security: User must have add records permission
-AuthenticationManager::redirectHomeIfFalse(AuthenticationManager::getCurrentUser()->isAddRecordsEnabled());
+AuthenticationManager::redirectHomeIfFalse(AuthenticationManager::getCurrentUser()->isAddRecordsEnabled(), 'AddRecords');
 
 // Was the form submitted?
 if (isset($_POST['Submit']) && count($_SESSION['aPeopleCart']) > 0) {

@@ -10,7 +10,7 @@
 use ChurchCRM\Utils\RedirectUtils;
 
 // Security: User must have Manage Groups & Roles permission
-AuthenticationManager::redirectHomeIfFalse(AuthenticationManager::getCurrentUser()->isManageGroupsEnabled());
+AuthenticationManager::redirectHomeIfFalse(AuthenticationManager::getCurrentUser()->isManageGroupsEnabled(), 'ManageGroups');
 
 // Was the form submitted?
 if ((isset($_GET['groupeCreationID']) || isset($_POST['Submit'])) && count($_SESSION['aPeopleCart']) > 0) {

@@ -247,10 +247,14 @@ public static function getForgotPasswordURL(): string
         // but rather redirect users to some other password reset mechanism.
         return SystemURLs::getRootPath() . '/session/forgot-password/reset-request';
     }
-    public static function redirectHomeIfFalse(bool $hasAccess): void
+    public static function redirectHomeIfFalse(bool $hasAccess, string $missingRole = ''): void
     {
         if (!$hasAccess) {
-            RedirectUtils::redirect('v2/dashboard');
+            if ($missingRole !== '') {
+                RedirectUtils::securityRedirect($missingRole);
+            } else {
+                RedirectUtils::redirect('v2/dashboard');
+            }
         }
     }
 

@@ -11,6 +11,11 @@ protected function hasRole(): bool
 
     protected function noRoleMessage(): string
     {
-        return gettext('User must have bAddEvent permissions');
+        return gettext('User must have Add Event permission');
+    }
+
+    protected function getRoleName(): string
+    {
+        return 'AddEvent';
     }
 }
@@ -4,7 +4,7 @@
 
 class AdminRoleAuthMiddleware extends BaseAuthRoleMiddleware
 {
-    protected function hasRole()
+    protected function hasRole(): bool
     {
         return $this->user->isAdmin();
     }
@@ -13,4 +13,9 @@ protected function noRoleMessage(): string
     {
         return gettext('User must be an Admin');
     }
+
+    protected function getRoleName(): string
+    {
+        return 'Admin';
+    }
 }
@@ -3,6 +3,7 @@
 namespace ChurchCRM\Slim\Middleware\Request\Auth;
 
 use ChurchCRM\Authentication\AuthenticationManager;
+use ChurchCRM\dto\SystemURLs;
 use ChurchCRM\model\ChurchCRM\User;
 use ChurchCRM\Utils\LoggerUtils;
 use Laminas\Diactoros\Response;
@@ -28,6 +29,12 @@ public function process(Request $request, RequestHandlerInterface $handler): Res
                 'method' => $request->getMethod(),
                 'exception' => $ex->getMessage()
             ]);
+
+            // Check if this is a browser request (not API)
+            if ($this->isBrowserRequest($request)) {
+                return $this->redirectToAccessDenied('Authentication');
+            }
+
             $response = new Response();
             $errorBody = json_encode(['error' => gettext('No logged in user'), 'code' => 401]);
             $response->getBody()->write($errorBody);
@@ -42,6 +49,12 @@ public function process(Request $request, RequestHandlerInterface $handler): Res
                 'user' => $this->user->getUserName(),
                 'required_role' => $this->noRoleMessage()
             ]);
+
+            // Check if this is a browser request (not API)
+            if ($this->isBrowserRequest($request)) {
+                return $this->redirectToAccessDenied($this->getRoleName());
+            }
+
             $response = new Response();
             $errorBody = json_encode(['error' => $this->noRoleMessage(), 'code' => 403]);
             $response->getBody()->write($errorBody);
@@ -51,7 +64,59 @@ public function process(Request $request, RequestHandlerInterface $handler): Res
         return $handler->handle($request);
     }
 
+    /**
+     * Check if request is from a browser (expects HTML) vs API client (expects JSON)
+     */
+    protected function isBrowserRequest(Request $request): bool
+    {
+        $path = $request->getUri()->getPath();
+
+        // API routes should always return JSON
+        if (str_contains($path, '/api/')) {
+            return false;
+        }
+
+        // Check Accept header - browsers typically send text/html
+        $acceptHeader = $request->getHeaderLine('Accept');
+        if (!empty($acceptHeader)) {
+            // If client explicitly wants JSON, it's an API request
+            if (str_contains($acceptHeader, 'application/json') && !str_contains($acceptHeader, 'text/html')) {
+                return false;
+            }
+            // If client accepts HTML, treat as browser
+            if (str_contains($acceptHeader, 'text/html')) {
+                return true;
+            }
+        }
+
+        // Check X-Requested-With header (AJAX requests)
+        if ($request->getHeaderLine('X-Requested-With') === 'XMLHttpRequest') {
+            return false;
+        }
+
+        // Default to browser for non-API routes
+        return true;
+    }
+
+    /**
+     * Redirect to the access-denied page
+     */
+    protected function redirectToAccessDenied(string $role): ResponseInterface
+    {
+        $response = new Response();
+        $redirectUrl = SystemURLs::getRootPath() . '/v2/access-denied?role=' . urlencode($role);
+        return $response->withStatus(302)->withHeader('Location', $redirectUrl);
+    }
+
     abstract protected function hasRole();
 
-    abstract protected function noRoleMessage();
+    abstract protected function noRoleMessage(): string;
+
+    /**
+     * Get the role name for redirect (without "User must be" prefix)
+     */
+    protected function getRoleName(): string
+    {
+        return 'Admin'; // Default, subclasses should override
+    }
 }
@@ -13,4 +13,9 @@ protected function noRoleMessage(): string
     {
         return gettext('User must have Delete Records permission');
     }
+
+    protected function getRoleName(): string
+    {
+        return 'DeleteRecords';
+    }
 }
@@ -13,4 +13,9 @@ protected function noRoleMessage(): string
     {
         return gettext('User must have Edit Records permission');
     }
+
+    protected function getRoleName(): string
+    {
+        return 'EditRecords';
+    }
 }
@@ -13,4 +13,9 @@ protected function noRoleMessage(): string
     {
         return gettext('User must have Finance permission');
     }
+
+    protected function getRoleName(): string
+    {
+        return 'Finance';
+    }
 }
@@ -13,4 +13,9 @@ protected function noRoleMessage(): string
     {
         return gettext('User must have Manage Groups permission');
     }
+
+    protected function getRoleName(): string
+    {
+        return 'ManageGroups';
+    }
 }
@@ -11,6 +11,11 @@ protected function hasRole(): bool
 
     protected function noRoleMessage(): string
     {
-        return gettext('User must have MenuOptions permission');
+        return gettext('User must have Menu Options permission');
+    }
+
+    protected function getRoleName(): string
+    {
+        return 'MenuOptions';
     }
 }
@@ -34,6 +34,6 @@ public static function absoluteRedirect(string $sTargetURL): void
     public static function securityRedirect(string $missingRole): void
     {
         LoggerUtils::getAppLogger()->warning('Security Redirect Request due to Role: ' . $missingRole);
-        self::Redirect('v2/dashboard');
+        self::redirect('v2/access-denied?role=' . urlencode($missingRole));
     }
 }
@@ -11,7 +11,7 @@
 
 // Security: User must have finance permission or be the one who created this deposit
 if (!(AuthenticationManager::getCurrentUser()->isFinanceEnabled() || AuthenticationManager::getCurrentUser()->getId() === $thisDeposit->getEnteredby())) {
-    RedirectUtils::redirect('v2/dashboard');
+    RedirectUtils::securityRedirect('Finance');
 }
 
 $iDepositSlipID = 0;

@@ -8,7 +8,7 @@
 use ChurchCRM\Utils\RedirectUtils;
 
 // Check for Create Directory user permission.
-AuthenticationManager::redirectHomeIfFalse(AuthenticationManager::getCurrentUser()->isCreateDirectoryEnabled());
+AuthenticationManager::redirectHomeIfFalse(AuthenticationManager::getCurrentUser()->isCreateDirectoryEnabled(), 'CreateDirectory');
 
 $sPageTitle = gettext('Directory reports');
 require_once 'Include/Header.php';

@@ -30,15 +30,15 @@
 // Clean error handling: (such as somebody typing an incorrect URL ?PersonID= manually)
 if ($iFamilyID > 0) {
     if (!(AuthenticationManager::getCurrentUser()->isEditRecordsEnabled() || (AuthenticationManager::getCurrentUser()->isEditSelfEnabled() && $iFamilyID == AuthenticationManager::getCurrentUser()->getPerson()->getFamId()))) {
-        RedirectUtils::redirect('v2/dashboard');
+        RedirectUtils::securityRedirect('EditRecords');
     }
 
     $family = FamilyQuery::create()->findOneById($iFamilyID);
     if ($family === null) {
         RedirectUtils::redirect('v2/dashboard');
     }
 } elseif (!AuthenticationManager::getCurrentUser()->isAddRecordsEnabled()) {
-    RedirectUtils::redirect('v2/dashboard');
+    RedirectUtils::securityRedirect('AddRecords');
 }
 
 // Get the list of custom person fields

@@ -9,7 +9,7 @@
 use ChurchCRM\Utils\RedirectUtils;
 
 // Security
-AuthenticationManager::redirectHomeIfFalse(AuthenticationManager::getCurrentUser()->isFinanceEnabled());
+AuthenticationManager::redirectHomeIfFalse(AuthenticationManager::getCurrentUser()->isFinanceEnabled(), 'Finance');
 
 $sReportType = '';
 

@@ -12,7 +12,7 @@
 use ChurchCRM\Utils\RedirectUtils;
 
 // Security: User must have Manage Groups permission
-AuthenticationManager::redirectHomeIfFalse(AuthenticationManager::getCurrentUser()->isManageGroupsEnabled());
+AuthenticationManager::redirectHomeIfFalse(AuthenticationManager::getCurrentUser()->isManageGroupsEnabled(), 'ManageGroups');
 
 $sPageTitle = gettext('Group Editor');
 $groupService = new GroupService();

@@ -8,7 +8,7 @@
 use ChurchCRM\Utils\RedirectUtils;
 
 // Security: user must be allowed to edit records to use this page.
-AuthenticationManager::redirectHomeIfFalse(AuthenticationManager::getCurrentUser()->isEditRecordsEnabled());
+AuthenticationManager::redirectHomeIfFalse(AuthenticationManager::getCurrentUser()->isEditRecordsEnabled(), 'EditRecords');
 
 $sPageTitle = gettext('Group Member Properties Editor');
 

@@ -10,7 +10,7 @@
 use ChurchCRM\Utils\RedirectUtils;
 
 // Security: user must be allowed to edit records to use this page.
-AuthenticationManager::redirectHomeIfFalse(AuthenticationManager::getCurrentUser()->isManageGroupsEnabled());
+AuthenticationManager::redirectHomeIfFalse(AuthenticationManager::getCurrentUser()->isManageGroupsEnabled(), 'ManageGroups');
 
 // Get the Group from the querystring
 $iGroupID = InputUtils::legacyFilterInput($_GET['GroupID'], 'int');

@@ -9,7 +9,7 @@
 use ChurchCRM\Utils\RedirectUtils;
 
 // Security: user must be allowed to edit records to use this page.
-AuthenticationManager::redirectHomeIfFalse(AuthenticationManager::getCurrentUser()->isManageGroupsEnabled());
+AuthenticationManager::redirectHomeIfFalse(AuthenticationManager::getCurrentUser()->isManageGroupsEnabled(), 'ManageGroups');
 
 // Get the Group, Property, and Action from the querystring
 $iGroupID = InputUtils::legacyFilterInput($_GET['GroupID'], 'int');

@@ -14,7 +14,7 @@
 $sPageTitle = gettext('Envelope Manager');
 
 // Security: User must have finance permission to use this form
-AuthenticationManager::redirectHomeIfFalse(AuthenticationManager::getCurrentUser()->isFinanceEnabled());
+AuthenticationManager::redirectHomeIfFalse(AuthenticationManager::getCurrentUser()->isFinanceEnabled(), 'Finance');
 
 $iClassification = 0;
 if (isset($_POST['Classification'])) {

@@ -8,7 +8,7 @@
 use ChurchCRM\Utils\RedirectUtils;
 
 // Security: User must have Manage Groups & Roles permission
-AuthenticationManager::redirectHomeIfFalse(AuthenticationManager::getCurrentUser()->isManageGroupsEnabled());
+AuthenticationManager::redirectHomeIfFalse(AuthenticationManager::getCurrentUser()->isManageGroupsEnabled(), 'ManageGroups');
 
 $sPageTitle = gettext('Member Role Change');
 

@@ -10,7 +10,7 @@
 
 // Security: User must have Notes permission
 // Otherwise, re-direct them to the main menu.
-AuthenticationManager::redirectHomeIfFalse(AuthenticationManager::getCurrentUser()->isNotesEnabled());
+AuthenticationManager::redirectHomeIfFalse(AuthenticationManager::getCurrentUser()->isNotesEnabled(), 'Notes');
 
 $sPageTitle = gettext('Note Delete Confirmation');
 

@@ -13,7 +13,7 @@
 
 // Security: User must have Notes permission
 // Otherwise, re-direct them to the main menu.
-AuthenticationManager::redirectHomeIfFalse(AuthenticationManager::getCurrentUser()->isNotesEnabled());
+AuthenticationManager::redirectHomeIfFalse(AuthenticationManager::getCurrentUser()->isNotesEnabled(), 'Notes');
 
 $sPageTitle = gettext('Note Editor');
 

@@ -16,13 +16,13 @@
 switch ($mode) {
     case 'famroles':
     case 'classes':
-        AuthenticationManager::redirectHomeIfFalse(AuthenticationManager::getCurrentUser()->isMenuOptionsEnabled());
+        AuthenticationManager::redirectHomeIfFalse(AuthenticationManager::getCurrentUser()->isMenuOptionsEnabled(), 'MenuOptions');
         break;
 
     case 'grptypes':
     case 'grproles':
     case 'groupcustom':
-        AuthenticationManager::redirectHomeIfFalse(AuthenticationManager::getCurrentUser()->isManageGroupsEnabled());
+        AuthenticationManager::redirectHomeIfFalse(AuthenticationManager::getCurrentUser()->isManageGroupsEnabled(), 'ManageGroups');
         break;
 
     case 'custom':

@@ -21,12 +21,12 @@
 switch ($mode) {
     case 'famroles':
     case 'classes':
-        AuthenticationManager::redirectHomeIfFalse(AuthenticationManager::getCurrentUser()->isMenuOptionsEnabled());
+        AuthenticationManager::redirectHomeIfFalse(AuthenticationManager::getCurrentUser()->isMenuOptionsEnabled(), 'MenuOptions');
         break;
 
     case 'grptypes':
     case 'grproles':
-        AuthenticationManager::redirectHomeIfFalse(AuthenticationManager::getCurrentUser()->isManageGroupsEnabled());
+        AuthenticationManager::redirectHomeIfFalse(AuthenticationManager::getCurrentUser()->isManageGroupsEnabled(), 'ManageGroups');
         break;
 
     case 'custom':

@@ -14,7 +14,7 @@
 
 // Security: User must have Add or Edit Records permission to use this form in those manners
 // Clean error handling: (such as somebody typing an incorrect URL ?PersonID= manually)
-AuthenticationManager::redirectHomeIfFalse(AuthenticationManager::getCurrentUser()->isDeleteRecordsEnabled());
+AuthenticationManager::redirectHomeIfFalse(AuthenticationManager::getCurrentUser()->isDeleteRecordsEnabled(), 'DeleteRecords');
 
 // Is this the second pass?
 if (isset($_POST['Delete'])) {

@@ -15,7 +15,7 @@
 
 // Security: User must have Finance permission to use this form.
 // Clean error handling: (such as somebody typing an incorrect URL ?PersonID= manually)
-AuthenticationManager::redirectHomeIfFalse(AuthenticationManager::getCurrentUser()->isFinanceEnabled());
+AuthenticationManager::redirectHomeIfFalse(AuthenticationManager::getCurrentUser()->isFinanceEnabled(), 'Finance');
 
 // Is this the second pass?
 if (isset($_POST['Back'])) {