how to restrict on the routes?

@peterpan26 With middleware, like you’ve done so in the example above, and like you also did in your other thread asking about the exact same thing.

You should also have middleware do specific things. A middleware checking roles should not be doing authentication. That’s what the built-in auth middleware is for. You should “stack” your middleware to run one after the other. The auth middleware will redirect the user if they‘re not logged in. If they are authenticated, then your role middleware will run.

So, apply the middleware in order:

Route::middleware(['auth', 'role:administrator'])->group(function () {
    // Administrator-only routes...
});

Your middleware should then only be concerned with checking if the authenticated user has the requested roles:

class EnsureUserHasRole
{
    public function handle(Request $request, Closure $next, ...$roles)
    {
        $userRoles = $request->user()->roles()->pluck('role');

        foreach ($roles as $role) {
            if ($userRoles->contains($role)) {
                return $next($request);
            }
        }

        // If we are here, user does not have any of the requested role(s)
        // Return a 403 Forbidden response since they are logged in but do not have permission
        abort(403);
    }
}

I have a laravel code that if the login does a bind it logs the user in and matches the email he has on the session with the emails i have on CheckUserRole model and middleware. my doubt is how to restrict on routes.php based on the role from that table:

class CreateUserRolesTable extends Migration
{
    public function up()
    {
        Schema::create('user_roles', function (Blueprint $table) {
            $table->id();
            $table->string('email')->unique();
            $table->string('role');
            $table->timestamps();
        });
    }

    public function down()
    {
        Schema::dropIfExists('user_roles');
    }
}

class CheckUserRole
{
    public function handle($request, Closure $next, ...$roles)
    {
        // Check if the user is authenticated
        if (Auth::check()) {
            // Retrieve the user's role from the user_roles table
            $user = Auth::user();
            $userRole = DB::table('user_roles')->where('email', $user->email)->value('role');

            // Check if the user's role is one of the allowed roles
            if (in_array($userRole, $roles)) {
                return $next($request);
            }
        }

        // Redirect or handle unauthorized access
        return redirect()->route('login'); // Redirect to login route if the user is not authorized
    }
}

if i for example do the following :

Route::group(['middleware' => ['role:Supervisor']], function () {
      route here
    });

it's always logging out the user when i click in any of the routes, eventhough the email its logging in is a Supervisor email.

the way im matching the email is on session:"

$email = $request->email;
                
        // Check if the email exists in the user_roles table
        $emailExists = DB::table('user_roles')->where('email', $email)->exists();
        
        // Retrieve roles associated with the email
        $userRolesData = DB::table('user_roles')->where('email', $email)->get();
        session(['userRolesData' => $userRolesData]);

with your example it keeps logging me out eventhough i have accessible email

then how can i acces user email if i dont get access to users database?