Only users with any form of channel access can use /viewer

app/Http/Controllers/ViewerController.php

@@ -3,12 +3,13 @@
 namespace App\Http\Controllers;
 
 use Illuminate\Http\Request;
+use App\Http\Requests\ViewerRequest;
 
 use App\Models\Trace\Message;
 
 class ViewerController extends Controller
 {
-    public function index(Request $request, string $viewerId)
+    public function index(ViewerRequest $request, string $viewerId)
     {
         // Check if viewerId is numeric
         if (!is_numeric($viewerId)) {

app/Http/Requests/ViewerRequest.php

@@ -0,0 +1,38 @@
+<?php
+
+namespace App\Http\Requests;
+
+use Illuminate\Foundation\Http\FormRequest;
+
+use Auth;
+
+class ViewerRequest extends FormRequest
+{
+    /**
+     * Determine if the user is authorized to make this request.
+     */
+    public function authorize(): bool
+    {
+        if (Auth::check()) {
+            return false;
+        }
+
+        $user = Auth::user();
+        if ($user->is_admin) {
+            return true;
+        }
+
+        $channels = $user->getTraceChannels();
+        return $channels->isNotEmpty();
+    }
+
+    /**
+     * Get the validation rules that apply to the request.
+     *
+     * @return array<string, \Illuminate\Contracts\Validation\ValidationRule|array<mixed>|string>
+     */
+    public function rules(): array
+    {
+        return [];
+    }
+}

app/Models/User.php

@@ -35,6 +35,7 @@ class User extends Authenticatable
      * @var array<int, string>
      */
     protected $hidden = [
+        'email',
         'remember_token',
     ];