1
votes

I'm trying to set up middleware to my laravel blog and I have a problem with following situation. I want to allow access to certain routes but only to specific users (not roles). For example... 'index', 'create', 'store' and 'show' routes are available for everyone with admin, globalmod or moderator role. To 'destroy' route can access only admin.

Problem is with 'edit' and 'update' routes. To these routes I want to give access only to 'admin' users and to user who created that blog post.

This code is working propertly for roles but I don't know how to set it up for specific user.

App\User.php

<?php

namespace App;

use Illuminate\Notifications\Notifiable;
use Illuminate\Foundation\Auth\User as Authenticatable;

class User extends Authenticatable {

    use Notifiable;

    protected $fillable = [
        'name', 'email', 'password',
    ];

    protected $hidden = [
        'password', 'remember_token',
    ];

    public function roles() {
      return $this->belongsToMany('App\Role');
    }

    public function authorizeRoles($roles) {
      if (is_array($roles)) {
          return $this->hasAnyRole($roles) || 
                 abort(401, 'This action is unauthorized.');
      }
      return $this->hasRole($roles) || 
             abort(401, 'This action is unauthorized.');
    }

    public function hasAnyRole($roles) {
      return null !== $this->roles()->whereIn('slug', $roles)->first();
    }

    public function hasRole($role) {
      return null !== $this->roles()->where('slug', $role)->first();
    }
}

App\Http\Middleware\RolesMiddleware.php

<?php

namespace App\Http\Middleware;

use Closure;
use Illuminate\Support\Facades\Auth;

class RolesMiddleware
{
    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @return mixed
     */
    public function handle($request, Closure $next, ... $roles) {

        if(!Auth::check()) {
            return redirect()->route('login')->with('attention', 'You have no access');
        }

        $user = Auth::user();

        foreach($roles as $role) {
            if($user->hasRole($role)) {
                return $next($request);
            }
        }
        return redirect()->back()->with('attention', 'You have no access');

    }
}

App\Http\Kernel.php

protected $routeMiddleware = [
        ...
        'role' => \App\Http\Middleware\RolesMiddleware::class,
    ];

App\Http\Controllers\BlogController.php

<?php

namespace App\Http\Controllers;

use Illuminate\Http\Request;
use App\Blog;

class BlogsController extends Controller
{

    public function __construct() {
        $this->middleware('role:admin', array('only' => 'destroy'));
        $this->middleware('role:admin,globalmod,moderator', array('only' => array('index', 'create', 'store', 'show')));
    }

    public function index() {
        ...
    }

    public function create() {
        ...
    }

    public function store(Request $request) {
        ...
    }

    public function show($id) {
        ...
    }

    public function edit($id) {
        ...
    }

    public function update(Request $request, $id) {
        ...
    }

    public function destroy($id) {
        ...
    }
}

For example, I need something like this

$this->middleware('role:admin OR $blog->author_id == Auth::user()->id',
array('only' => 'edit', 'update'));
2
I would use policies for this situation.DigitalDrifter

2 Answers

0
votes

Look at https://laravel.com/docs/5.6/authorization#gates you can define rules/policies for you model.

It can be achieved by custom middleware but Laravel policies and gates is way to go.

0
votes

try something like this

Route::group(['middleware' => ['role:Admin']], function () {

     //define routes here... Ex. below 
    Route::get('/', 'HomeController@index');
    /* for application to get sale price */


}