Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

kokurate's avatar

How can i make OR Middleware ???

In my case i have 9 role (for login). This role have their own controller.

I want to make only admin can access admin middleware but admin can access other middleware. So I created my custom middleware like this

        <?php

namespace App\Http\Middleware;

use Closure;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;

class Cek_Login
{
    public function handle(Request $request, Closure $next, $roles)
    {
        if (!Auth::check()) {
            return redirect('login'); 
        }
        $user = Auth::user();

        if($user->level == $roles)
            return $next($request);

        return redirect()->route('cannot_access');
    }
}

Here's my authenticate in controller

        public function authenticate(Request $request)
          {
         $credentials = $request->validate([
           'email' => 'required|',
             'password' => 'required'
            ]);
            if (Auth::attempt($credentials)){
             $user = Auth::user();
            if($user->level == 'admin'){
                $request->session()->regenerate();
                return redirect()->intended('admin');
            }
            elseif ($user->level == 'jaringan'){
                $request->session()->regenerate();
                return redirect()->intended('jaringan');
            }
            return redirect()->intended('login')->with('error', 'Login Gagal');
      } else
   
     return back()->with('error', 'Login Gagal');

    }

and this is my route

      Route::group(['middleware' => ['auth']], function(){
        
        // =============================== Admin Page ================================= 
        Route::group(['middleware' => ['cek_login:admin']], function (){

            Route::get('register', [AuthController::class, 'register'])->name('register');
            Route::post('register', [AuthController::class, 'store'])->name('register.store');
        
            Route::get('admin',[AdminController::class,'index'])->name('admin.index');    
            Route::delete('admin/destroy/{pengaduan:kode}',[AdminController::class,'destroy'])->name('admin.destroy');    
           
        });
         
        // =================================== Jaringan Page ===========

        // Route::middleware('cek_login:jaringan')->middleware('cek_login:admin')->group(function (){
       // Route::middleware(['cek_login:jaringan','cek_login:admin'])->group(function (){ 

         Route::middleware(['cek_login:jaringan' OR 'cek_login:admin'])->group(function (){
        
            route::get('/jaringan',[JaringanController::class,'index'])->name('jaringan.index');
            route::get('jaringan/detail/{pengaduan:kode}',[JaringanController::class,'detail'])->name('jaringan.detail');

            route::get('jaringan/update/{pengaduan:kode}',[JaringanController::class,'update'])->name('jaringan.update');
            route::post('jaringan/update/{pengaduan:kode}',[JaringanController::class,'update_store'])->name('jaringan.update.store');
        });

    });

How can i solve this problem ? Can anyone help me solve this problem as soon as possible. Thank you in advanced

0 likes
7 replies
martinbean's avatar

@kokurate You can’t. Middleware are “layers” for a HTTP request. A middleware either passes or fails. A single middleware class also shouldn’t know anything about any other middleware classes.

Instead, use authorization to determine what a user can and can’t do, and can and can’t see, based on their role(s).

kokurate's avatar

@martinbean permission to ask, is there a fairly complete example similar to the one I will make??? Explanations with case studies will be easier for me to understand. Thank you in advanced

jlrdw's avatar

@kokurate Jeffrey has authorization videos, plus there is a chapter in the documentation just on authorization. Furthermore, Jeffrey has the authorization code available free on Github.

johnDoe220's avatar
php artisan make:middleware Admin

public function handle(Request $request, Closure $next)
    {
if(auth()->check() && auth()->user()->role !== 'admin){
	return redirect(route('index'));
}
return $next($request);
}
kokurate's avatar
kokurate
OP
3 years ago
Best Answer
Level 1

guys thank you for helping me out. Now this problem is now fixed

The problem actually is on my middleware... Soo I have create a new middleware to handle the route group, and the code is like this

    <?php
   namespace App\Http\Middleware;
 use Closure;
  use Illuminate\Http\Request;
    class Cek_Level
    {
     public function handle(Request $request, Closure $next, ...$levels)
    {
	// if auth level like level return next
      if (in_array($request->user()->level, $levels)){
         return $next($request);
      }
  // if not redirect to cannot access
     return redirect()->route('cannot_access');
   } 
 }

Don't forget to register this middleware in \app\Http\kernel.php

Now i can the route group like this

 // =======================Admin Page ====================
        Route::group(['middleware' => ['auth','cek_level:admin']], (function (){

  Route::get('register', [AuthController::class, 'register'])->name('register');
  Route::post('register', [AuthController::class, 'store'])->name('register.store');

        }));

// =============== Jaringan Page =================
Route::group(['middleware' => ['auth','cek_level:jaringan,admin']], (function (){

 route::get('/jaringan',[JaringanController::class,'index'])->name('jaringan.index');
 route::get('jaringan/detail/{pengaduan:kode}',[JaringanController::class,'detail'])>name('jaringan.detail');

        }));

Now only admin can access admin middleware (using cek_level:admin) and admin can access other middleware too

but others middleware can access admin middleware

1 like

Please or to participate in this conversation.