Search code examples
laravelauthenticationroleslaravel-middlewarecartalyst-sentinel

Laravel and Sentinel: mix roles middleware for authorization

I'm a Laravel newbie (VERY newbie) using Cartalyst Sentinel on Laravel 5.2 to leverage roles authorizations.

On the admin section I have three (or more) roles, i.e. "admin", "agent" and "writer".

I also have some sections that should have mixed roles access, i.e. like this:

  • dashboard (accessible to all roles: admin, agent, writer)
  • users (accessible to: admin)
  • orders (accessible to: admin, agent)
  • pages (accessible to: admin, writer)
  • no_admin_here (accessible to: agent, writer)

At the moment I managed it to work with only two roles, but now I am stuck.

What I've done so far (I put only the necessary code):

routes.php

// only authenticated users can access these pages
Route::group(['prefix' => 'admin', 'as' => 'admin.', 'middleware' => ['check']], function(){

    // these pages are accessible to all roles
    Route::get('dashboard', ['as' => 'dashboard', function(){
        return view('admin/dashboard');
    }]);

    // only admin can access this section
    Route::group(['middleware' => 'admin'], function(){

        Route::get('users', function(){
            return view('admin/users');
        });

    });

});

SentinelCheck Middleware (named 'check' in Kernel.php)

if (!Sentinel::check()) { // user is not authenticated
    return redirect()->route('admin.login')->with('error', 'You must be logged to view the page');
}
if (Sentinel::inRole('customer')) { // user is authenticated but he is a customer
    return redirect()->route('admin.login')->with('error', 'You are a customer and cannot access to backend section');
}

SentinelAdmin Middleware (named 'admin' in Kernel.php)

if (!Sentinel::inRole('admin')) { // user is authenticated but he is not an admin
    return redirect()->route('admin.login')->with('error', 'You are not admin and cannot view requested section');
}

SentinelAgent Middleware (named 'agent' in Kernel.php)

if (!Sentinel::inRole('agent')) { // user is authenticated but he is not an agent
    return redirect()->route('admin.login')->with('error', 'You are not agent and cannot view requested section');
}

So far so good, as I said, but things mess up when I try to mix roles; i.e. I can't write a route like this:

// only admin and agent can access this section
Route::group(['middleware' => ['admin', 'agent']], function(){

    Route::get('orders', function(){
        return view('admin/orders');
    });

});

because "agent" will never reach the section since "admin" middleware will block and logout him. And, likewise, I can't do every other roles mix:

['middleware' => ['admin', 'writer']]
['middleware' => ['agent', 'writer']]
['middleware' => ['admin', 'writer', 'whatever_else_role']]

etc..

So, is there a (easy) way in which I can easily mix roles accesses to sections? Thanks in advance for your help

Solution

  • It was easier that I expected using middleware parameters