CODEWITHSUNDEEP
phplaravelroutesauthorizationroles
daino92
daino92

Reputation: 178

Simple approach of route protection based on roles Laravel 5.2

I want to protect my routes based on roles. This is what I have done but I can't seem to get it to work.

Role model:

protected $table = 'roles';

protected $fillable = array(
    'name', 'description'
);

public function users(){
    return $this->belongsToMany('App\User', 'user_role', 'role_id', 'user_id');
}

Role migration

Schema::create('roles', function (Blueprint $table) {
        $table->increments('id');
        $table->timestamps();
        $table->string('name', 40);
        $table->string('description', 255);
    });

RoletableSeeder file

Role::create([
        'id'            => 1,
        'name'          => 'Admin',
        'description'   => 'Admin User.'
    ]);
    Role::create([
        'id'            => 2,
        'name'          => 'Vendor',
        'description'   => 'Vendor User.'
    ]);
    Role::create([
        'id'            => 3,
        'name'          => 'User',
        'description'   => 'Simple User.'
    ]);

A sample route:

Route::get('/admin/dashboard', [
'uses' => 'AdminController@adminDashboard',
'as' => 'admin.dashboard',
'middleware' => ['auth', 'roles'],
'roles' => ['Admin']
]);

User model:

protected $fillable = [
    'email','username', 'password', 'confirmation_code'
];

protected $hidden = [
    'password', 'remember_token',
];

public function orders() {
    return $this->hasMany('App\Order');
}

public function roles(){
    return $this->belongsToMany('App\Role', 'user_role', 'user_id', 'role_id');
}

public function hasRole($roles){
    $this->have_role = $this->getUserRole();

    if($this->have_role->name == 'Admin') {
        return true;
    }
    if(is_array($roles)){
        foreach($roles as $need_role){
            if($this->checkIfUserHasRole($need_role)) {
                return true;
            }
        }
    } else{
        return $this->checkIfUserHasRole($roles);
    }
    return false;
}
private function getUserRole(){
    return $this->roles()->getResults();
}
private function checkIfUserHasRole($need_role){
    return (strtolower($need_role)==strtolower($this->have_role->name)) ? true : false;
}

CheckRole.php file which is inside middleware:

<?php namespace App\Http\Middleware;
use Closure;
class CheckRole{

public function handle($request, Closure $next)
{

    $roles = $this->getRequiredRoleForRoute($request->route());
    if($request->user()->hasRole($roles) || !$roles){
        return $next($request);
    }
    return response([
        'error' => [
            'code' => 'INSUFFICIENT_ROLE',
            'description' => 'You are not authorized to access this resource.'
        ]
    ], 401);
}
private function getRequiredRoleForRoute($route)
{
    $actions = $route->getAction();
    return isset($actions['roles']) ? $actions['roles'] : null;
}
}

and last I added one line to the kernel:

protected $routeMiddleware = [
    ...
    'roles'         => 'App\Http\Middleware\CheckRole',
];

Does anyone have any idea? Or a better/simpler way to do this? Thanks in advance!

Upvotes: 3

Views: 1766

Answers (2)

daino92
daino92

Reputation: 178

Well this is what I did and actually worked.

RoleTableSeeder, Role migration, Role model and the middleware register remain the same as the original post.

In CheckRole.php:

<?php
namespace App\Http\Middleware;
use Closure;

class CheckRole{

public function handle($request, Closure $next){
    if ($request->user()=== null) //for guests
        return redirect()->route('product.index');

    $actions = $request->route()->getAction();
    $roles = isset($actions['roles']) ? $actions['roles'] : null;

    if ($request->user()->hasAnyRole($roles) || !$roles) 
        return $next($request);
    return redirect()->route('product.index'); //for unauthorized users
 }
}

In User model: (the relations is exactly as the original post)

public function hasAnyRole($roles){
    if (is_array($roles)){
        foreach ($roles as $role) {
            if ($this->hasRole($role)) {
                return true;
            }
        }
    } else if ($this->hasRole($roles)) {
        return true;
    }
    return false;
}

public function hasRole($role){
    if ($this->roles()->where('name', $role)->first()){
        return true;
    }
    return false;
}

And an example of a route:

Route::get('...', [
...
'middleware' => 'roles',
'roles' => 'Admin' //or whatever you have in `RolesTableSeeder` in name column
]);

Upvotes: 0

lewis4u
lewis4u

Reputation: 15057

This was my solution and i'm not saying it's the best practice nor it's better than yours.

i have created this middleware:

<?php

namespace App\Http\Middleware;

use Closure;

class MustHaveRole
{
    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @return mixed
     */
    public function handle($request, Closure $next, $role)
    {

        if(auth()->check() && auth()->user()->active && (auth()->user()->hasRole($role) || auth()->user()->hasRole('admin')) ){

            return $next($request);

        } else {
            abort(403);
        }
    }
}

inside app/Http/Kernel.php added the last line:

protected $routeMiddleware = [
    'auth' => \Illuminate\Auth\Middleware\Authenticate::class,
    'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class,
    'bindings' => \Illuminate\Routing\Middleware\SubstituteBindings::class,
    'can' => \Illuminate\Auth\Middleware\Authorize::class,
    'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class,
    'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
    'role' => \App\Http\Middleware\MustHaveRole::class,
];

and inside user model created 2 methods:

// define connection with roles table
public function roles()
{
    return $this->belongsToMany(Role::class);
}

// check if user has that $role
public function hasRole($role)
{
    return $this->roles->contains('name', $role);
}

and i have a model called Role:

<?php

namespace App;

use Illuminate\Database\Eloquent\SoftDeletes;
use Illuminate\Database\Eloquent\Model;

class Role extends Model
{

    use SoftDeletes;

    public function users()
    {
        return $this->belongsToMany(User::class)->withTimestamps();
    }
}

and a seeder for that table:

<?php

use Illuminate\Database\Seeder;

class RolesTableSeeder extends Seeder
{
    /**
     * Run the database seeds.
     *
     * @return void
     */
    public function run()
    {
        // check if table roles is empty
        if(DB::table('roles')->get()->count() == 0){

            // multiple insertion
            DB::table('roles')->insert([
                ['name' => 'admin'],
                ['name' => 'agency'],
                ['name' => 'endcustomer'],
            ]);

        } else { echo "\e[31mTable is not empty, therefore NOT "; }

    }
}

and now inside my Controller constructor i can call that middleware:

class ItemsController extends Controller
{

    public function __construct() {
        $this->middleware('auth');
        $this->middleware('role:endcustomer');
    }

...

This is all done without any additional packages...just plain laravel...if you have any more questions feel free to ask.

Upvotes: 2

Related Questions