Restrict route access to non-admin users

php laravel laravel-5 laravel-routing laravel-middleware
Tiffany Soun picture Tiffany Soun · Jun 4, 2015 · Viewed 11.7k times · Source

Goal

I'm trying to create Admin route restriction for my log-in users. I've tried a check to see if my user is log-in, and also if the user type is Admin, and if they are, I want to allow them access to the admin route, otherwise, respond a 404.

routes.php

<!-- Route group -->
$router->group(['middleware' => 'auth'], function() {

    
    <!-- No Restriction -->
    Route::get('dashboard','WelcomeController@index');
   
    <!-- Admin Only -->
    if(Auth::check()){
        if ( Auth::user()->type == "Admin" ){

            //Report
            Route::get('report','ReportController@index');
            Route::get('report/create', array('as'=>'report.create', 'uses'=>'ReportController@create'));
            Route::post('report/store','ReportController@store');
            Route::get('report/{id}', array('before' =>'profile', 'uses'=>'ReportController@show'));
            Route::get('report/{id}/edit', 'ReportController@edit');
            Route::put('report/{id}/update', array('as'=>'report.update', 'uses'=>'ReportController@update'));
            Route::delete('report/{id}/destroy',array('as'=>'report.destroy', 'uses'=>'ReportController@destroy'));

        }
    }

});

Result

It's not working as I intended. It throws 404 error - even for Admin users.

Answer

Limon Monte picture Limon Monte · Jun 4, 2015

You can use Middleware for this simple case.

  1. Create middleware:
php artisan make:middleware AdminMiddleware

namespace App\Http\Middleware;

use App\Article;
use Closure;
use Illuminate\Contracts\Auth\Guard;

class AdminMiddleware
{
    /**
     * The Guard implementation.
     *
     * @var Guard
     */
    protected $auth;

    /**
     * Create a new filter instance.
     *
     * @param  Guard  $auth
     * @return void
     */
    public function __construct(Guard $auth)
    {
        $this->auth = $auth;
    }

    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @return mixed
     */
    public function handle($request, Closure $next)
    {
        if ($this->auth->getUser()->type !== "admin") {
            abort(403, 'Unauthorized action.');
        }

        return $next($request);
    }
}
  1. Add it to app\Http\Kernel.php:
protected $routeMiddleware = [
    'admin' => 'App\Http\Middleware\AdminMiddleware',
];
  1. Use middleware in your routes:
Route::group(['middleware' => ['auth', 'admin']], function() {
    // your routes
});

Related questions

Laravel: How to Get Current Route Name? (v5 ... v7)

In Laravel v4 I was able to get the current route name using... Route::currentRouteName() How can I do it in Laravel v5 and Laravel v6?

Read More
Laravel 5 - redirect to HTTPS

Working on my first Laravel 5 project and not sure where or how to place logic to force HTTPS on my app. The clincher here is that there are many domains pointing to the app and only two out of three …

Read More
Laravel 5 MethodNotAllowedHttpException in RouteCollection.php line 201:

I have a number of php files in my project: admin.blade.php: this files contains the admin form. When called it show the following error: MethodNotAllowedHttpException in RouteCollection.php line 201 <h2>Please Log In To Manage</…

Read More