Laravel 5, Entrust - check roles not working

Question

I'm new in Laravel. I'm trying to use in Laravel 5 Zizaco/entrust (from laravel-5 branch). All working ok - attach rules, detach rules... but when I try check permissions I have problems.

First I try in routes.php, but in this place Entrust don't know who am I, hasRole and routeNeedsRole not working in routes.php.

In middleware hasRole is working but routeNeedsRole not. Trying use as second parameter string, array, same effect - abort(403) runs.

Because hasRole is working this problem looks very strange for me.

composer dump-autoload - used, not solve problem

in routes.php

Entrust::hasRole('superadmin');// => false
\Entrust::routeNeedsRole('admin/dashboard', ['superadmin'], abort(403, 'Forbidden'), false); // display 403 page

in middleware

\Entrust::hasRole('superadmin'); // => true
\Entrust::routeNeedsRole('admin/dashboard', ['superadmin'], abort(403, 'Forbidden'), false); // display 403 page

My model User.php

use Zizaco\Entrust\Traits\EntrustUserTrait;

class User extends Model implements AuthenticatableContract, CanResetPasswordContract {

use Authenticatable, CanResetPassword, EntrustUserTrait;

routes.php

Route::group([ 'prefix' => 'admin', 'namespace' => 'Admin', 'middleware' => ['auth', 'admin']], function (){
    Route::get('dashboard', [ 'as' => 'dashboard', 'uses' => "DashBoardController@index" ]);
});

I have also Role and Permission models looks like in Readme file https://github.com/Zizaco/entrust/tree/laravel-5

// sorry for my english.

Answer 1

It was a cache issue in my case, once I cleared my applications cache - it resolved the 403 permission denied issues I had.

php artisan cache:clear

Answer 2

Update: Laravel 5.1.11 and newer now come with built in Authorization. It is much more Laravel friendly and will always be well maintained. Use this when possible

---

You are using the middleware wrong. There is a lot of Laravel 4 stuff still in the docs for Entrust so you have to be selective as to what you use from there. The middleware shouldn't be setting routeNeedsRole. Actually routeNeedsRole doesn't really fit in L5 in my opinion. Here is how I would do it:

Create a new middleware with

php artisan make:middleware AuthAdmin

Now in the newly generated app/Http/Middleware/AuthAdmin.php

<?php namespace App\Http\Middleware;

use Closure;
use Illuminate\Contracts\Auth\Guard;

class AuthAdmin {

  protected $auth;

  public function __construct(Guard $auth) {
    $this->auth = $auth;
  }

  public function handle($request, Closure $next) {
    if ($this->auth->guest()) {
      if ($request->ajax()) {
        return response('Unauthorized.', 401);
      } else {
        return redirect()->guest('auth/login');
      }
    } else if(! $request->user()->hasRole('superadmin')) {
      return abort(404); //Or redirect() or whatever you want
    }
    return $next($request);
  }

}

This will do the same thing as the auth middleware but if they are already logged in and don't have the 'superadmin' role they will get the 404.

Next we need to add the middleware to routemiddleware. Do this in app/Http/Kernal.php:

protected $routeMiddleware = [
  ...,
  'superadmin' => 'App\Http\Middleware\AuthAdmin',
];

This makes it possible to add the middleware to the controller. Now let's do that. In your controller we do this in the constructor:

public function __construct() {
  $this->middleware('superadmin');
}

This will add the middleware to the whole controller. You can be specific as to the routes if needed but for your case I would assume we need the whole controller protected.

Let me know if you need nay more help.

Note: It would be ideal to make AuthAdmin run the 'auth' middleware first instead of copying the code but I don't know how to do that from within the middleware and we don't want to have to do middleware => ['auth', 'superadmin'] instead of just 'superadmin'. If we didn't copy the 'auth' code over we would be trying to get ->hasRole() of null which would get an error.

Answer 3

Try it in your controllers:

Auth::user()->hasRole('superadmin');