Level 75
Implement authorization to determine who can and cannot do something.
A route group is correct, to ensure login is required.
1 like
Jul 24, 2021
6
Level 1
Admin routes with a separate route file
Hi,
I created a separate admin route file, admin.php in routes folder with the following content
<?php
use App\Http\Livewire\Admin\Index;
use Illuminate\Support\Facades\Route;
Route::get('/', Index::class)->name('admin');
and added the following in RouteServiceProvider
Route::prefix('admin')
->middleware(['web', 'auth:sanctum', 'verified', 'admin'])
->namespace($this->namespace)
->group(base_path('routes/admin.php'));
where the admins are verified using a middleware. This seems working and I wish to know this is enough to protect from non-admins reaching the admin route file. Or should I need to use something like the Route::group?
Level 12
In your first example notice the group() method. Either way is creating a route group and in both examples you are applying the admin middleware. So as long as the admin middleware correctly blocks requests from non-admins either way is fine it just becomes a question of which way to you prefer, a dedicated route file or keep everything in web.php
Level 1
Thanks for the reply, I prefer to keep a separate route file for admins.
The admin middleware is only verifying a user's name/email is in the list of admins, all other auth check, i.e. user login status, should be verified by the laraval sactum. I think in the above example, it is done at the middleware statement ->middleware(['web', 'auth:sanctum', 'verified', 'admin']). Correct me if I am wrong.
Level 54
unless both set of route are redirect to the different set of resources otherwise, it seem redundance and not necessary. Imagine that you are building a house but there are 2 door to access to the house, i think the proper way is use gate or policy to control the access just like in the room there are different room only person who have the key or security code are allowed to access it.
1 like
Level 1
No, they are not routing to the same page, but different pages. The admin pages contains admin function only, and entry is controlled by the middleware. Please explain if there Is any better approaches?
Level 54
there are reasons and purposes people build the gate and policy... and it is being used by most of developers to control the access... perhaps you can figure it out...
I guess once you have a normal user became admin, then may question raised by the user why a same user have to login to different pages or having 2 different type of users to login...
1 like
Please or to participate in this conversation.