I'm using Laravel 5.5.
I created 4 middlewares, one middleware by user role.
The admin has same rights as the employee. However, admin owns some more privileges.
Routing File:
Route::group(['prefix' => 'admin'], function() {
// EMPLOYEE AND ADMIN ROUTES
Route::group(['middleware' => ['admin', 'employe']], function() {
Route::get('showCreationSeance', 'AdministrationController@showCreationSeance');
Route::get('showAjoutCoach', 'AdministrationController@showAjoutCoach');
Route::get('showReservationClient', 'AdministrationController@showReservationClient');
Route::get('showAnnulationClient', 'AdministrationController@showAnnulationClient');
Route::post('creerSeance', 'AdministrationController@creerSeance')->name('admin/creerSeance');
Route::post('ajouterCoach', 'AdministrationController@ajouterCoach')->name('admin/ajouterCoach');
});
// ADMIN ROUTES
Route::group(['middleware' => 'admin'], function() {
Route::get('showCreationActivite', 'AdministrationController@showCreationActivite');
Route::get('showAjoutEmploye', 'AdministrationController@showAjoutEmploye');
Route::post('creerActivite', 'AdministrationController@creerActivite')->name('admin/creerActivite');
Route::post('ajouterEmploye', 'AdministrationController@ajouterEmploye')->name('admin/ajouterEmploye');
});
});
Middlewares:
class AdminMiddleware
{
public function handle($request, Closure $next)
{
$user = User::getUser(Auth::user()->id_utilisateur);
if(!$user->estAdmin()) {
throw new AuthorizationException();
}
return $next($request);
}
}
class EmployeMiddleware
{
public function handle($request, Closure $next)
{
$user = User::getUser(Auth::user()->id_utilisateur);
if(!$user->estEmploye()) {
throw new AuthorizationException();
}
return $next($request);
}
}
Methods used into middlewares:
public function estAdmin() {
$idStatutAdmin = Statut::select('id_statut')
->where('nom_statut', '=', 'ROLE_ADMIN')
->first();
return ($idStatutAdmin->id_statut == $this->id_statut) ? true : false;
}
public function estEmploye() {
$idStatutEmployee = Statut::select('id_statut')
->where('nom_statut', '=', 'ROLE_EMPLOYEE')
->first();
return ($idStatutEmployee->id_statut == $this->id_statut) ? true : false;
}
Stack Trace:
Illuminate\Foundation\Exceptions\Handler render
…/app/Exceptions/Handler.php 51
Illuminate\Auth\Access\AuthorizationException
…/app/Http/Middleware/AdminMiddleware.php 25
Illuminate\Foundation\Http\Kernel handle
…/public/index.php 55
The problem: The routes defined for admin and employee didn't work and I get an error:
Symfony \ Component \ HttpKernel \ Exception \ AccessDeniedHttpException
No message
While routes for admin only work perfectly. Can you tell me if I'm doing this correctly?
When I'm connected as an admin, it is EmployeMiddleware which throw an error. And when I'm connected as employee, it is AdminMiddleware which throw an error.
Thank's for your help!
The user has the id_statut column which can only be ROLE_ADMIN or ROLE_EMPLOYEE. Take the following example:
$roles = [
'admin' => 2,
'employee' => 1
];
$user = [
'id_statut' => 1
];
if ($user['id_statut'] == $roles['employee']) {
// User is an employee - this code will execute
}
if ($user['id_statut'] == $roles['admin']) {
// User is not an admin - this code will NOT execute
}
if ($user['id_statut'] == $roles['employee'] && $user['id_statut'] == $roles['employee']) {
// User is an employee AND an admin
// This is impossible based on your database structure as id_statut cannot be both 1 and 2
}
An easy solution would be to check if the user is an employee or higher permission in estEmploye(). For example:
public function estEmploye() {
$idStatutEmployee = Statut::select('id_statut')
->where('nom_statut', 'IN', ['ROLE_EMPLOYEE', 'ROLE_ADMIN'])
->get('id_statut');
return in_array($this->id_status, $idStatutEmployee);
}