Laravel middleware multiple roles

Question

I am going through some issues with Laravel middleware. What I want to accomplish is registered user has 4 roles. 1. Master Admin 2. Admin 3. Seller 4. Customer. I want my Master Admin, Admin, and Seller to have access to my CategoryController, and the customer cannot access it but when I put middleware in my controller's constructor it only lets masteradmin access the CategoryController and returns back admin and seller users. Please advise me on how to do this.

Kernel.php $routemiddleware :

    'checkrole' => \App\Http\Middleware\CheckRole::class,
    'admincheck' => \App\Http\Middleware\Admin::class,
    'sellercheck' => \App\Http\Middleware\Seller::class,
    'customercheck' => \App\Http\Middleware\Customer::class,
    'masteradmin' => \App\Http\Middleware\MasterAdmin::class,

http/Middleware/CheckRole

    public function handle($request, Closure $next)
{
    if(Auth::user()->user_role  == 1)
    {
      return redirect('admin');
    }
    elseif(Auth::user()->user_role  == 2)
    {
      return redirect('seller');
    }
    elseif(Auth::user()->user_role  == 3)
    {
      return redirect('customer');
    }
      return $next($request);
}

http/Middleware/MasterAdmin

    public function handle($request, Closure $next)
{
  if(Auth::user()->user_role != 0)
  {
    return back();
  }
    return $next($request);
}

http/Middleware/Admin

  public function handle($request, Closure $next)
{
  if(Auth::user()->user_role != 1)
  {
    return back();
  }
    return $next($request);
}

http/Middleware/Seller

  public function handle($request, Closure $next)
{
  if(Auth::user()->user_role != 2)
  {
    return back();
  }
    return $next($request);
}

Http/Middleware/Customer

    public function handle($request, Closure $next)
{
    if(Auth::user()->user_role != 3)
    {
      return back();
    }
    return $next($request);
}

CategoryController:

    class CategoryController extends Controller
{
    public function __construct()
    {
      $this->middleware('auth');
      $this->middleware('verified');
      $this->middleware('masteradmin');
      $this->middleware('admincheck');
      $this->middleware('sellercheck');
      // $this->authorizeResource(Category::class, 'category');
    }
    /**
     * Display a listing of the resource.
     *
     * @return \Illuminate\Http\Response
     */
    public function index()
    {
     return view('category.index');
    }

HomeController

class HomeController extends Controller
{
    /**
     * Create a new controller instance.
     *
     * @return void
     */
    public function __construct()
    {
        $this->middleware('auth');
        $this->middleware('verified');
        $this->middleware('checkrole');
    }

    /**
     * Show the application dashboard.
     *
     * @return \Illuminate\Contracts\Support\Renderable
     */
    public function index()
    {
        return view('home');
    }

It is not working right now i want to give one or more users access my entire controller please advice me on how achieve this thanks in advance

Answer 1

The problem is that your adminUser will have to go through the masterAdminUser Middleware that return back();. Therefore your adminUser will not have a chance to go through the admin Middleware and not be able to access the Categories.

A solution for this would be to handle your role management in a single middleware, for example, a CategoryMiddleware. This middleware will check the role and return back(); only if not allowed

A cleaner Laravel solution would be to use Policies, that seems very suited for your situation - you can have a look at the documentation.