Laravel 5.3: localhost redirected you too many times

Question

I have 2 user roles which is superadmin and admin

I don't want admin to access of Settings Page.

I am not sure if this is the proper way.

---

So, here's my SettingsController.php

class SettingsController extends Controller {
    public function index() {
        if(Auth::user()->roles == 0) {
            return redirect(url()->previous());
        } else {
            return view('settings.index');
        }
    }
}

As you can see if the roles is 0. I redirect the user to the last page they're in. I also tried to use return back();

---

web.php (routes)

<?php

Route::get('/', ['uses' => 'UsersController@index']);
Route::post('login', ['uses' => 'UsersController@login']);

Route::group(['middleware' => ['auth']], function() {
    Route::get('logout', ['uses' => 'UsersController@destroy']);
    Route::get('upline', ['uses' => 'UplinesController@index']);
    Route::get('upline/create', ['uses' => 'UplinesController@create']);
    Route::post('upline', ['uses' => 'UplinesController@store']);
    Route::delete('upline/destroy/{id}', ['uses' => 'UplinesController@destroy']);
    Route::put('upline/update/{id}', ['uses' => 'UplinesController@update']);
    Route::get('upline/getdownlines/{id}', ['uses' => 'UplinesController@getDownlines']);

    Route::get('downline', ['uses' => 'DownlinesController@index']);
    Route::post('downline', ['uses' => 'DownlinesController@store']);
    Route::delete('upline/destroy/{id}', ['uses' => 'DownlinesController@destroy']);
    Route::put('downline/update/{id}', ['uses' => 'DownlinesController@update']);

    Route::get('bonus', ['uses' => 'BonusController@index']);
    Route::post('bonus/csv', ['uses' => 'BonusController@fileUpload']);

    Route::get('settings', ['uses' => 'SettingsController@index']);
});

I have a 2nd question. Can I limit admin using middleware? If yes, how?

Any help would be appreciated.

Answer 1

As @michael s answer suggests use middleware, his answer fails to demonstrate on how to do it (mine too, I just added more text).

Note: Laravel is big because of its documentation, USE IT!

You have 2 (or more options):

• parameterized middleware
• 2 distinctive middlewares (one for admin, another for superadmin)

Note: use artisan to generate middleware from stubs, $ php artisan make:middleware MyNewShinyMiddleware

parametrized middleware (my pick)

Head to documentation and check out this.

Example shows exactly your problem.

public function handle($request, Closure $next, $role)
{
    if (! $request->user()->hasRole($role)) { //implement hasRole in User Model
        // Redirect... 
        // (use named routes to redirect or do 401 (unauthorized) because thats what is going on!
        // abort(401) // create view in /views/errors/401.blade.php
        // return redirect()->route('home');
    }

    //success user has role $role, do nothing here just go to another "onion" layer
    return $next($request);
}

2 distinctive middlewares

simply create two middlewares and hardcode your checking routine of roles (same as you do in your controller sample) except use $request->user()...

---

(routes) web.php

Route::group(['middleware' => 'role:admin'], function () {...} //parametrized

Route::group(['middleware' => 'checkRoleAdmin'], function () {...}
Route::group(['middleware' => 'checkRoleSuper'], function () {...}

Note: role, checkRoleAdmin and checkRoleSuper are "named" middlewares and you need to register them in kernel.php

---

Another way is yo use gates or policies which make the best sense, since you are trying to limit user. Read more here.

I use middleware based ACL for really simple projects (like one admin and no real users).
I use gates based ACL for medium projects (1-2 roles).
I use policies based ACL for "huge" projects (many roles, many users).

Also consider looking at https://github.com/Zizaco/entrust

Answer 2

Maybe the second option, "Limiting admin with middleware". So you can try something like;

Route::group(['prefix' => 'admin', 'middleware' => 'auth'], function () {
    Route::get('/', 'DownlinesController@update');
});

Then

Route::group(['prefix' => 'super', 'middleware' => 'auth'], function () {
    Route::get('/', 'UplinesController@index');
});