I'm trying to create Admin route restriction for my log-in users.
I've tried a check to see if my user is log-in
, and also if the user type is Admin
, and if they are, I want to allow them access to the admin route, otherwise, respond a 404.
<!-- Route group -->
$router->group(['middleware' => 'auth'], function() {
<!-- No Restriction -->
Route::get('dashboard','WelcomeController@index');
<!-- Admin Only -->
if(Auth::check()){
if ( Auth::user()->type == "Admin" ){
//Report
Route::get('report','ReportController@index');
Route::get('report/create', array('as'=>'report.create', 'uses'=>'ReportController@create'));
Route::post('report/store','ReportController@store');
Route::get('report/{id}', array('before' =>'profile', 'uses'=>'ReportController@show'));
Route::get('report/{id}/edit', 'ReportController@edit');
Route::put('report/{id}/update', array('as'=>'report.update', 'uses'=>'ReportController@update'));
Route::delete('report/{id}/destroy',array('as'=>'report.destroy', 'uses'=>'ReportController@destroy'));
}
}
});
It's not working as I intended. It throws 404 error - even for Admin users.
You can use Middleware for this simple case.
php artisan make:middleware AdminMiddleware
namespace App\Http\Middleware;
use App\Article;
use Closure;
use Illuminate\Contracts\Auth\Guard;
class AdminMiddleware
{
/**
* The Guard implementation.
*
* @var Guard
*/
protected $auth;
/**
* Create a new filter instance.
*
* @param Guard $auth
* @return void
*/
public function __construct(Guard $auth)
{
$this->auth = $auth;
}
/**
* Handle an incoming request.
*
* @param \Illuminate\Http\Request $request
* @param \Closure $next
* @return mixed
*/
public function handle($request, Closure $next)
{
if ($this->auth->getUser()->type !== "admin") {
abort(403, 'Unauthorized action.');
}
return $next($request);
}
}
app\Http\Kernel.php
:protected $routeMiddleware = [
'admin' => 'App\Http\Middleware\AdminMiddleware',
];
Route::group(['middleware' => ['auth', 'admin']], function() {
// your routes
});
This answer is about why your code doesn't work as expected. @limonte 's solution is correct and the best I can think of.
Your routes file is parsed to get your routes, and after that, those routes might be cached somewhere else.
Thus you shouldn't put any code that depends on the request (eg checking whether a User has sufficient rights to access a route).
In particular, you shouldn't use the following request dependent modules inside your routes.php (not exhaustive) :
Auth
DB
or any kind of db queries that might depend on timeSession
Request
You should view your routes.php as part of your config, it just happens that it is written in php directly instead of some new language you have to learn.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With