Wire admin studio SSR and search infrastructure

app/Http/Middleware/EnsureStaffAccess.php

@@ -0,0 +1,27 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Middleware;
+
+use Closure;
+use Illuminate\Http\Request;
+use Symfony\Component\HttpFoundation\Response;
+
+final class EnsureStaffAccess
+{
+    public function handle(Request $request, Closure $next): Response
+    {
+        $user = $request->user();
+
+        if (! $user || ! $user->hasStaffAccess()) {
+            if ($request->expectsJson() || $request->header('X-Inertia')) {
+                abort(Response::HTTP_FORBIDDEN, 'Forbidden.');
+            }
+
+            return redirect()->route('home')->with('error', 'You do not have access to this area.');
+        }
+
+        return $next($request);
+    }
+}

app/Http/Middleware/HandleInertiaRequests.php

@@ -5,6 +5,8 @@ declare(strict_types=1);
 namespace App\Http\Middleware;
 
 use App\Services\GroupService;
+use App\Support\AvatarUrl;
+use Closure;
 use Illuminate\Http\Request;
 use Inertia\Middleware;
 
@@ -30,6 +32,10 @@ final class HandleInertiaRequests extends Middleware
             return 'leaderboard';
         }
 
+        if (str_starts_with($request->path(), 'admin') || str_starts_with($request->path(), 'moderation')) {
+            return 'admin';
+        }
+
         if (str_starts_with($request->path(), 'studio')) {
             return 'studio';
         }
@@ -57,6 +63,11 @@ final class HandleInertiaRequests extends Middleware
             return 'feed.hashtag';
         }
 
+        // Forum pages
+        if (str_starts_with($request->path(), 'forum')) {
+            return 'forum';
+        }
+
         return $this->rootView;
     }
 
@@ -65,6 +76,20 @@ final class HandleInertiaRequests extends Middleware
         return parent::version($request);
     }
 
+    public function handle(Request $request, Closure $next): mixed
+    {
+        $response = parent::handle($request, $next);
+
+        // Prevent browsers from caching authenticated full-page SSR responses.
+        // Without this, a hard reload can replay stale SSR HTML from the browser
+        // cache instead of fetching fresh data from the server.
+        if ($request->user() !== null) {
+            $response->headers->set('Cache-Control', 'no-store, private');
+        }
+
+        return $response;
+    }
+
     public function share(Request $request): array
     {
         $canReadSessionAuth = $this->canReadSessionAuth($request);
@@ -75,7 +100,11 @@ final class HandleInertiaRequests extends Middleware
                 'user' => $user ? [
                     'id' => $user->id,
                     'name' => $user->name,
+                    'avatar_url' => $user->profile?->avatar_url ?: AvatarUrl::forUser((int) $user->id, $user->profile?->avatar_hash, 64),
                     'is_admin' => $user->isAdmin(),
+                    'is_manager' => $user->isManager(),
+                    'is_editorial' => $user->isEditorial(),
+                    'is_staff' => $user->hasStaffAccess(),
                     'is_moderator' => $user->isModerator(),
                 ] : null,
             ],

app/Http/Middleware/VerifyCsrfToken.php

@@ -14,6 +14,7 @@ class VerifyCsrfToken extends Middleware
     protected $except = [
         'chat_post',
         'chat_post/*',
+        'api/art/*/view',
         // Apple Sign In removed — no special CSRF exception required
     ];
 }