Restrict route access to non-admin users

Tiffany Soun picture Tiffany Soun · Jun 4, 2015 · Viewed 11.7k times · Source

Goal

I'm trying to create Admin route restriction for my log-in users. I've tried a check to see if my user is log-in, and also if the user type is Admin, and if they are, I want to allow them access to the admin route, otherwise, respond a 404.


routes.php

<!-- Route group -->
$router->group(['middleware' => 'auth'], function() {

    
    <!-- No Restriction -->
    Route::get('dashboard','WelcomeController@index');
   
    <!-- Admin Only -->
    if(Auth::check()){
        if ( Auth::user()->type == "Admin" ){

            //Report
            Route::get('report','ReportController@index');
            Route::get('report/create', array('as'=>'report.create', 'uses'=>'ReportController@create'));
            Route::post('report/store','ReportController@store');
            Route::get('report/{id}', array('before' =>'profile', 'uses'=>'ReportController@show'));
            Route::get('report/{id}/edit', 'ReportController@edit');
            Route::put('report/{id}/update', array('as'=>'report.update', 'uses'=>'ReportController@update'));
            Route::delete('report/{id}/destroy',array('as'=>'report.destroy', 'uses'=>'ReportController@destroy'));

        }
    }

});

Result

It's not working as I intended. It throws 404 error - even for Admin users.

Answer

Limon Monte picture Limon Monte · Jun 4, 2015

You can use Middleware for this simple case.

  1. Create middleware:
php artisan make:middleware AdminMiddleware
namespace App\Http\Middleware;

use App\Article;
use Closure;
use Illuminate\Contracts\Auth\Guard;

class AdminMiddleware
{
    /**
     * The Guard implementation.
     *
     * @var Guard
     */
    protected $auth;

    /**
     * Create a new filter instance.
     *
     * @param  Guard  $auth
     * @return void
     */
    public function __construct(Guard $auth)
    {
        $this->auth = $auth;
    }

    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @return mixed
     */
    public function handle($request, Closure $next)
    {
        if ($this->auth->getUser()->type !== "admin") {
            abort(403, 'Unauthorized action.');
        }

        return $next($request);
    }
}
  1. Add it to app\Http\Kernel.php:
protected $routeMiddleware = [
    'admin' => 'App\Http\Middleware\AdminMiddleware',
];
  1. Use middleware in your routes:
Route::group(['middleware' => ['auth', 'admin']], function() {
    // your routes
});