Level 10
I suggest you to use Gates and Policies ( https://laravel.com/docs/5.5/authorization ) will be more secure and convenient way to authorize your users based on roles.
Oct 30, 2017
6
Level 24
middleware in controller or on route
Just wondering if there are any drawbacks to putting middleware directly on a route or route group as opposed to putting it in the constructor on a controller. The reason I ask is because a lot of apps I build have different user types e.g. members, admins, public users etc...
I generally have a single controller for a model so for example if I only wanted an admin to be able to delete a post I would need to add isAdmin middleware. If I stick that in the controller constructor my show(), index() methods etc.. would not be available to members or public. So what I have been doing on a recent project is grouping my routes and adding the middleware to the group so /admin/* has isAdmin middleware. Is this secure?
Level 24
@RamjithAp thanks...I'll have a look at that. Is what I have done so far a bad idea that should be scrapped and rebuilt or should I just think about using gates moving forward in future builds?
Level 10
Yes, Gates and policies are more scalable in future. Having middleware for roles and permissions is not good practice as of my knowledge. And the answer for your question is forcing middleware through route group is secure enough.
Level 24
Anyone want to elaborate on why I shouldn't use middleware for my auth checking? Jeffrey seems to teach that way in his videos i.e. adding auth middleware in the constructor and/or on the route. My original question still also remains unanswered as this applies not just to roles but to basic logged in/not logged in users.
Level 41
@deansatch From documentation: https://laravel.com/docs/5.5/controllers#controller-middleware
"However, it is more convenient to specify middleware within your controller's constructor. Using the middleware method from your controller's constructor, you may easily assign middleware to the controller's action. You may even restrict the middleware to only certain methods on the controller class"
I believe it is a convenience issue and not a performance issue or security issue. You have to see what works for you.
If it was a security, I believe that would be known. Also you have the "RedirectIfAuthenticated" middleware by default to check if a user is authenticated.
As for whether it is a good practice or not, I would not know. I do use it myself for permissions when it makes sense for a group of routes. I have not used gates and policies either, so I cant say.
3 likes
Level 80
@deansatch I think you’re merging the concepts of authentication and authorisation together.
You should authenticate a user (check they are logged in and are who they say they are). You then use authorisation to check what that user can do. So you would have middleware to authenticate a user…
Route::middleware('auth')->group(function () {
// Admin-only routes
});
…but then authorise what that user can do with a policy. So if you have a controller for news articles, you would have a corresponding policy class for your article model.
class ArticlePolicy
{
public function delete(User $user, Article $article)
{
return $user->isAdministrator();
}
}
class ArticleController extends Controller
{
public function destroy(Article $article)
{
$this->authorize('delete', $article);
$article->delete();
}
}
8 likes
Please or to participate in this conversation.