Search code examples
laravelauthenticationmiddleware

How to protect a route with middleware in laravel?

i have a problem with my middleware. when i login as admin, it's working fine and redirect to /Admin/home same as Operator (i have 2 user, Admin & Operator). The problem is when i hit url as example : /Operator/home as Admin role, it can access it. And that's the problem.

I'have create a new middleware CheckMiddleware, and registered to kernel in array $routeMiddleware as checkMiddleware:

public function handle($request, Closure $next)
    {
        $user = $request->user();

        if ($user) {
            if ($user->isAdmin()) {
                return $next($request);
            }elseif($user->isOperator()){
                return $next($request);
            }
        }

        return dd('Forbidden page. you have to login as admin/operator');
    }

In the route :

Route::group(['prefix'=>'Admin' ,'middleware' => 'checkMiddleware'], function() {
    Route::get('/home', 'HomeController@index')->name('homeAdmin');
});

Route::group(['prefix'=>'Operator' ,'middleware' => 'checkMiddleware'], function() {
    Route::get('/home', 'HomeController@index')->name('homeAdmin');
});

Auth::routes();

in User model :

public function isAdmin(){
        if ($this->role_id === 1) {
            return true;
        }

        return false;
    }

    public  function isOperator(){
        if ($this->role_id === 2) {
            return true;
        }

        return false;
    }

What i want is, Admin cannot access Operator and Operator Cannot Access Admin. if this is not clear, tell me what file you want to see.

Solution

  • The problem is if user is admin then accept request and user is operator still accept request. That code below

    if ($user->isAdmin()) {
    return $next($request);
}elseif($user->isOperator()){
    return $next($request);
}

    For simple solution, just create two middleware for admin and operator. Then apply admin middleware for route (group) need admin role, and apply operator middleware for route (group) need operator role.

    If you have some route allow admin and operator role access, just add both to that route.

    UPDATE If you want to use 1 middleware, do like this :

    if ($user->isAdmin() && $request->route()->getPrefix() == 'admin') {
    return $next($request);
}
if ($user->isOperator() && $request->route()->getPrefix() == 'operator') {
    return $next($request);
}
return abort(401) // OR SOME ROUTE YOU WANT