I have Laravel 5.6 installed.
I would like to give Demo account to a user, which cannot INSERT or UPDATE anything but view everything.
I don't have a group of roles in my system. I just want to hardcode the user id in somewhere and restrict these actions.
I googled and found a lot of different approaches ( https://laracasts.com/discuss/channels/laravel/protecting-route-for-specific-user ) , which is far more than what I need. I just simply want to restrict this functions to specific users in all website.
Domain | Method | URI | Name | Action | Middleware |
+--------+-----------+-------------------------------------------------------+---------------------------------+------------------------------------------------------------------------------------+--------------------------------------------------+
| | GET|HEAD | / | | Closure | web |
| | GET|HEAD | _debugbar/assets/javascript | debugbar.assets.js | Barryvdh\Debugbar\Controllers\AssetController@js | Barryvdh\Debugbar\Middleware\DebugbarEnabled |
| | GET|HEAD | _debugbar/assets/stylesheets | debugbar.assets.css | Barryvdh\Debugbar\Controllers\AssetController@css | Barryvdh\Debugbar\Middleware\DebugbarEnabled |
| | DELETE | _debugbar/cache/{key}/{tags?} | debugbar.cache.delete | Barryvdh\Debugbar\Controllers\CacheController@delete | Barryvdh\Debugbar\Middleware\DebugbarEnabled |
| | GET|HEAD | _debugbar/clockwork/{id} | debugbar.clockwork | Barryvdh\Debugbar\Controllers\OpenHandlerController@clockwork | Barryvdh\Debugbar\Middleware\DebugbarEnabled |
| | GET|HEAD | _debugbar/open | debugbar.openhandler | Barryvdh\Debugbar\Controllers\OpenHandlerController@handle | Barryvdh\Debugbar\Middleware\DebugbarEnabled |
| | GET|HEAD | api/user | | Closure | api,auth:api |
| | GET|HEAD | giris | | Closure | web |
| | GET|HEAD | horizon/api/jobs/failed | horizon.failed-jobs.index | Laravel\Horizon\Http\Controllers\FailedJobsController@index | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | GET|HEAD | horizon/api/jobs/failed/{id} | horizon.failed-jobs.show | Laravel\Horizon\Http\Controllers\FailedJobsController@show | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | GET|HEAD | horizon/api/jobs/recent | horizon.recent-jobs.index | Laravel\Horizon\Http\Controllers\RecentJobsController@index | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | POST | horizon/api/jobs/retry/{id} | horizon.retry-jobs.show | Laravel\Horizon\Http\Controllers\RetryController@store | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | GET|HEAD | horizon/api/masters | horizon.masters.index | Laravel\Horizon\Http\Controllers\MasterSupervisorController@index | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | GET|HEAD | horizon/api/metrics/jobs | horizon.jobs-metrics.index | Laravel\Horizon\Http\Controllers\JobMetricsController@index | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | GET|HEAD | horizon/api/metrics/jobs/{id} | horizon.jobs-metrics.show | Laravel\Horizon\Http\Controllers\JobMetricsController@show | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | GET|HEAD | horizon/api/metrics/queues | horizon.queues-metrics.index | Laravel\Horizon\Http\Controllers\QueueMetricsController@index | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | GET|HEAD | horizon/api/metrics/queues/{id} | horizon.queues-metrics.show | Laravel\Horizon\Http\Controllers\QueueMetricsController@show | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | POST | horizon/api/monitoring | horizon.monitoring.store | Laravel\Horizon\Http\Controllers\MonitoringController@store | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | GET|HEAD | horizon/api/monitoring | horizon.monitoring.index | Laravel\Horizon\Http\Controllers\MonitoringController@index | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | GET|HEAD | horizon/api/monitoring/{tag} | horizon.monitoring-tag.paginate | Laravel\Horizon\Http\Controllers\MonitoringController@paginate | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | DELETE | horizon/api/monitoring/{tag} | horizon.monitoring-tag.destroy | Laravel\Horizon\Http\Controllers\MonitoringController@destroy | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | GET|HEAD | horizon/api/stats | horizon.stats.index | Laravel\Horizon\Http\Controllers\DashboardStatsController@index | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | GET|HEAD | horizon/api/workload | horizon.workload.index | Laravel\Horizon\Http\Controllers\WorkloadController@index | web,Laravel\Horizon\Http\Middleware\Authenticate |
| | GET|HEAD | horizon/{view?} | horizon.index | Laravel\Horizon\Http\Controllers\HomeController@index | web,Laravel\Horizon\Http\Middleware\Authenticate |
Quickest way will be to create a simple middleware where you abort if it's that specific user.
To create the middleware you can use the artisan command make:middleware
php artisan make:middleware LimitUserIdX
In the newly created file (app/Http/Middleware/LimitUserIdX.php) you can just check if the authentify user id is X and if so, abort with error code 403 (permission denied), like this:
public function handle($request, Closure $next)
{
$userId = Auth::id();
if($userId == 5) {
abort(403);
}
return $next($request);
}
change the 5 to the user you want to limit.
Edit: I've missed understood the question, this is a correction.
You should add the newly created middleware to Laravel global middlewares list. Just go to App/Http/Kernel.php and add the class to the $middleware var. This will make Laravel run your middleware on all HTTP requests to your application (without the need to add it to each and every route definition).
Then, you will also want to edit the middleware itself to check for the requested method before aborting, like this:
public function handle($request, Closure $next)
{
$userId = Auth::id();
if(request()->method() != "GET" && request()->method() != "HEAD" && $userId == 5) {
abort(403);
}
return $next($request);
}