restricting access for registered users

@dmcglone Use Middleware.

Copied from a post I answered a couple of days ago.

I have included a basic implementation and requires that you add an admin column to your users table. I'm not suggesting that this is the best way. I personally have set up Users, Roles, and Permissions but the example below will get you started. You can literally swap out admin for verified and you'll be golden!

1. The following command creates new Middleware called Admin

php artisan make:middleware Admin

2. This creates a file called Admin.php within the app/Http/Middleware directory that looks like

<?php namespace App\Http\Middleware;

use Closure;

class Admin {

    public function handle($request, Closure $next)
    {

        if ( Auth::check() && Auth::user()->isAdmin() )
        {
            return $next($request);
        }

        return redirect('home');

    }

}

3. You then need to add the Admin Middleware to your app/Http/Kernel.php file

protected $routeMiddleware = [
    'auth' => 'App\Http\Middleware\Authenticate',
    'auth.basic' => 'Illuminate\Auth\Middleware\AuthenticateWithBasicAuth',
    'guest' => 'App\Http\Middleware\RedirectIfAuthenticated',
    'admin' => 'App\Http\Middleware\Admin', // this line right here
];

4. Add the Admin Middleware to a route. (Within your routes.php file).

get('protected', ['middleware' => ['auth', 'admin'], function() {
    return "this page requires that you be logged in and an Admin";
}]);

5. Finally you need to add the isAdmin method we created above to your User model to check whether or not the user is an Admin.

public function isAdmin()
{
    return $this->admin ? true : false; // this looks for an admin column in your users table
}

6. This will do the trick. If you run into any problems, please post what you have tried and which step you got up to and I'll try my best to help.

Use a middleware.

I did create some middleware, but I only know how to restrict access to a certain page and not disallow login.

Just protect the route. You need them to log in to see who they are before you can check with Middleware.

Route::group(['middleware' => ['auth', 'verified']], function()
{
    get('dashboard', ['as' => 'dashboard_path', 'uses' => 'UsersController@dashboard']);

    get('profile', ['as' => 'profile_path', 'uses' => 'UsersController@profile']);

    get('settings', ['as' => 'settings_path', 'uses' => 'UsersController@settings']);
});

Use

Route::group(['middleware' => 'active'], function () {
    Route::get('foo', 'BarController@methodName');
});

And just create the middleware and associate active key to it in Kernel

I think this is what I wasn't getting right.. Auth::check() && Auth::user()->isAdmin()

Hang on, I'll post my code which is just like @mstnorris's except I wasn't using the line above.

Dont forget the auth() helper.

Ok here's what I created and I see I forgot the route, and the method in my User model.. I was assuming that I could add the restricted code to RedirectIfAuthenticated.

<?php namespace App\Http\Middleware;

use Closure;
use Illuminate\Contracts\Auth\Guard;
use Illuminate\Http\RedirectResponse;

class EmployeeAuthentication {

    protected $auth;
    public function __construct(Guard $auth)
    {
        $this->auth = $auth;
    }

    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @return mixed
     */
    public function handle($request, Closure $next)
    {
        if ($this->auth->check())
        {
            if ($this->auth->user()->is_employee == true)
            {
                return $next($request);
            }
        }
        return new RedirectResponse(url('/'));
    }
}

kernel

protected $routeMiddleware = [
        'auth' => 'App\Http\Middleware\Authenticate',
        'auth.basic' => 'Illuminate\Auth\Middleware\AuthenticateWithBasicAuth',
        'guest' => 'App\Http\Middleware\RedirectIfAuthenticated',
        'admin' => 'App\Http\Middleware\AdminAuthentication',
        'employee' => 'App\Http\Middleware\EmployeeAuthentication',
    ];

Looks good. Just add it to your routes.php.

Ok I'm going to try that now. :-)

As an aside, in the Admin middleware, you don’t actually need to check if the user is authenticated. The Authenticate middleware will check this and redirect if the user is not logged in, thus not reaching the Admin middleware.

Does anyone know of any tutorials or @JeffreyWay's videos that demonstrate restricting access to registered users? For example, what if a user isn't authorized to login until an admin authorizes them?

Users And Roles (Laravel 4)

Hmmm, it still allows a user to log in when their is_employee bit is false:

middleware

class EmployeeAuthentication {
    protected $auth;
    public function __construct(Guard $auth)
    {
        $this->auth = $auth;
    }
    public function handle($request, Closure $next)
    {
        if ($this->auth->check())
        {
            if (Auth::check() && Auth::user()->isEmployee())
            {
                return $next($request);
            }
        }
        return new RedirectResponse(url('/'));
    }
}

User model

public function isEmployee()
    {
        return $this->is_employee ? true : false;
    }

Kernel

protected $routeMiddleware = [
        'auth' => 'App\Http\Middleware\Authenticate',
        'auth.basic' => 'Illuminate\Auth\Middleware\AuthenticateWithBasicAuth',
        'guest' => 'App\Http\Middleware\RedirectIfAuthenticated',
        'admin' => 'App\Http\Middleware\AdminAuthentication',
        'employee' => 'App\Http\Middleware\EmployeeAuthentication',
    ];

And finally routes:

Route::get('protected', ['middleware' => ['auth', 'employee'], function() {
    return "this page requires that you be logged in and an employee";
}]);

What data type is is_employee?

@bestmomo I'm not sure what you mean?

@Ruffles I'm not using any Roles.

@dmcglone do an explicit check

public function isEmployee()
{
    return ($this->is_employee == true) ? true : false;
}

Also, to check, do:

dd(Auth::user()->is_employee);

@mstnorris bool

@dmcglone updated.

What do you mean by "not using any roles"? According to the code in this thread, you do. Admin and employee are roles. Maybe you don't use them in the way like it is shown in the video.

@Ruffles, I'm only wanting to learn to restrict access to a user. I've already learned how to restrict a user from pages, now I'm trying to learn how to restrict them from logging in. I've got the concept down, but what I've tried isn't working and that's where @mstnorris is helping me figure out where I'm going wrong.

@dmcglone where are you up to now? Did you follow my walkthrough above?

Yeah, and dd didn't seem to have an effect, it still logged in and it seems no matter what I try with the route, it still logs in. I even tried a different approach to the route. Seems no matter what I try, it still logs in like I haven't made any changes at all.

So far I changed

Route::get('protected', ['middleware' => ['auth', 'employee'], function() {
    return "this page requires that you be logged in and an employee";
}]);

to this, with no affect.

Route::group([
    'prefix' => '/',
    'namespace' => Auth',
    'middleware' => 'employee'
], function() {
    Route::resource('employee, 'ApplicationController');
});

@dmcglone You're missing an apostrophe. And of course that won't work.

Use:

Route::get('protected', ['middleware' => ['auth', 'employee'], function() {
   return 'this route is protected, if you can see this then access has been granted';
}]);

If the above doesn't work as expected then something else is going on and I would kindly ask that you paste all your code here exactly as you have it currently and I'll take a look.

That's weird, it wasn't missing over here. I must've messed up the paste.

Ok wait a second, I think I found the problem. It may be because I didn't put the ApplicationController in a folder like I did with the AdminController

Nah never mind, I'm trying to restrict access to Auth, not the application controller.

@dmcglone how did you get on?

@mstnorris Ok this works. I log in the user and if is_employee bit is false, just call /auth/logout. :-)

public function handle($request, Closure $next)
    {
        if ($this->auth->check())
        {
            if ($this->auth->user()->is_employee == true)
            {
                return $next($request);
            }
        }
        return new RedirectResponse(url('/auth/logout'));
    }

Cool.

Not sure if it's the correct way to go about it, but I thought about it for a second and realized, I need to be logged in in the first place in order to check to see if they are an employee yet. :-)