Laravel 5.4- User Roles and Permissions using Middleware
Hello Guyz, In this tutorial we will learn setting different permission to users based on their roles. We often need to allow different tasks for different users. For example- if you are having a blog and you want to add an user that can only write and read articles, he can't change themes or any other things that an admin can do. So if you are developing your website using Laravel framework then setting user roles and permissions is quite easy. You just need to set up a middleware, and protect the corresponding route using that middleware. That's it. So let's start.
User Roles and Permissions: An Example
Let's take an example of website where there is three user roles. First is admin, another is staff and the last is subscriber. Admin can access each and every page, but there are some limitations for staff and the subscriber is only allowed to access home page. Here we will learn how we can create middlewares and protect our routes from unauthorized access by setting user roles and permissions.User Roles and Permissions: Database Modification
The all we need to do is add a column to users table. We need to add a role column to users table, so that we can find whether the logged in user is a admin, staff or a subscriber. We can further create a web page for changing user roles and permissions. But that is not our topic. Here we will learn how we can limit unauthorized users from accessing our routes.User Roles and Permissions: Creating Middleware
We can use artisan for creating a middleware. Here I'm gonna create only two middlewares- AdminMiddleware and StaffMiddlewarephp artisan make:middleware AdminMiddleware
php artisan make:middleware StaffMiddlewareTwo new classes will be created in app/Http/Middleware folder after executing these commands. Now we need to write some logic to these classes.
User Roles and Permissions: Writing Logic
Let's have a look to our requirements again. The staff have some limitations, but admin can access all routes. Open the AdminMiddleware class. There will a function already defined named handle. In that function write this-if(Auth::user()->role == 'admin') // is an admin
{
return $next($request); // pass the admin
}
return redirect('/'); // not admin. redirect where ever you like
Here I'm checking to the role column of users table. If it is equal to admin then we are giving them permission to access that route, otherwise redirecting them to some other route or you can also redirect them to an dedicated unauthorized page.Now open StaffMiddleware class and in the handle function write this-
if(Auth::user()->role == 'admin' or Auth::user()->role == 'staff') // is an admin
{
return $next($request); // pass the admin
}
return redirect('/');
Here again I'm doing the same thing, checking the roles column. But here the admin and the staff both can access that route. This is because an admin can access each and every route.User Roles and Permissions: Protecting routes
Registering Middleware
Before protecting our routes, we need to register that middleware in a key. Simply open the file app/Http/kernal.php and add two more entries to the $routeMiddleware array. You can use admin key for AdminMiddleware and staff key for the StaffMiddleware.'admin' => \App\Http\Middleware\AdminMiddleware::class, 'staff' => \App\Http\Middleware\StaffMiddleware::class,
Routes which can be accessed by Subscribers, staffs and admins
The pages which you want should be accessible by subscribers, protect them using auth middleware. In this way all the users (admins, staffs and subscribers) can access that route.Route::get('subscrbers-route', 'SomeController@someFunction')->middleware('auth');
Routes which can be accessed by Staffs and admins
These routes should be protected by staff middleware. Remember in the StaffMiddleware we are giving access to both the admin and the staff. So the routes which are being protected by staff middleware can be accessed by admin and staff, but can not be accessed by subscriber.Route::get('subscrbers-route', 'SomeController@someFunction')->middleware('staff');
Routes which can be accessed by only admins
These routes should be protected by admin middleware. In this way any user having role admin can only access this route. Others will be redirected to the page what ever you have defined to class.Route::get('subscrbers-route', 'SomeController@someFunction')->middleware('admin');
Conclusion
This is how we can assign different roles to different users. In addition you should create a page for admin to change the roles of users. In this way an admin can anytime set user roles and permissions.If you found this tutorial, kindly share to your friends and help others too.
Really great content keep posting learn a lot from your blog
ReplyDeleteTshirt for Men
Guide for Buying Perfect Tshirt for Boys
Budget Tshirt For Boys Under 600