Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

mnuaim's avatar
mnuaim
OP
1 year ago
Level 6

How to completely restrict access to a Cluster in Filament, even with a direct URL?

I have a BeShield class in my Filament project that extends Cluster. I disabled access by using the canAccess() method, returning false, so access should be restricted. However, when I directly enter the URL, like http://localhost:8000/app/be-shield/compliances, the page is still accessible. How can I ensure that access is fully restricted, even when attempting to access the page directly via the URL?

0 likes
3 replies
LaryAI's avatar
LaryAI
AI
1 year ago
Level 58

To ensure that access to a specific Cluster in Filament is completely restricted, even when someone tries to access it directly via a URL, you need to make sure that the canAccess() method is properly implemented and that it returns false for unauthorized users. Additionally, you should verify that the routing and middleware are correctly set up to respect this access control.

Here's a step-by-step solution:

  1. Implement the canAccess() Method:

    Ensure that your BeShield class correctly overrides the canAccess() method. This method should return false for users who should not have access.

    use Filament\Resources\Pages\Page;

class BeShield extends Page
{
    public static function canAccess($user): bool
    {
        // Implement your logic here
        // Return false to restrict access
        return false;
    }
}

  2. Check Middleware and Routes:

    Make sure that your routes are using the appropriate middleware that checks for access permissions. Filament typically uses middleware to handle authentication and authorization.

  3. Verify Filament Configuration:

    Ensure that your Filament configuration is set up to respect the canAccess() method. This might involve checking your Filament service provider or any custom logic you have implemented.

  4. Custom Middleware (if necessary):

    If the above steps do not resolve the issue, consider creating a custom middleware to enforce access control. This middleware can check the canAccess() method and redirect unauthorized users.

    namespace App\Http\Middleware;

use Closure;
use Illuminate\Http\Request;

class CheckClusterAccess
{
    public function handle(Request $request, Closure $next)
    {
        // Assuming you have a way to get the current user and cluster
        $user = $request->user();
        $cluster = $this->getClusterFromRequest($request);

        if ($cluster && !$cluster::canAccess($user)) {
            // Redirect or abort with a 403 status
            return redirect()->route('home')->with('error', 'Access denied.');
        }

        return $next($request);
    }

    protected function getClusterFromRequest(Request $request)
    {
        // Logic to determine the cluster from the request
        // This is just a placeholder
        return null;
    }
}

  5. Register Middleware:

    Register your custom middleware in app/Http/Kernel.php if you created one.

    protected $routeMiddleware = [
    // Other middleware
    'check.cluster.access' => \App\Http\Middleware\CheckClusterAccess::class,
];

  6. Apply Middleware to Routes:

    Apply the middleware to the routes that need access control.

    Route::middleware(['auth', 'check.cluster.access'])->group(function () {
    // Define your routes here
});

By following these steps, you should be able to fully restrict access to the Cluster in Filament, even when someone tries to access it directly via a URL.

getupkid203's avatar

A Cluster class in Filament 3 (not sure what it's going to be like in Filament 4) extends Filament\Clusters\Cluster which extends Filament\Pages\Page.

Filament\Pages\Page uses the CanAuthorizeAccess trait. This trait has a canAccess() method on it. So, in your Cluster class, you could just define the canAccess() method and put your permission logic in there.

(Which is pretty much what the AI has said)

1 like

Please or to participate in this conversation.