Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

david001's avatar

Middleware protecting routes

How to protect routes with middleware for following conditions

i have users table and roles table

users table id name email role_id

roles table

id          name          slug
1           admin         admin
2          student      student
3          teacher      teacher

In User.php

 public function role()
 {
         return $this->hasOne(Role::class,'id','role_id');
 }

RoleGate.php

<?php
 
namespace App\Http\Middleware;
 
use Closure;
 
class RoleGate
{
    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @return mixed
     */
    public function handle($request, Closure $next,$role)
    {
        if ($request->user() && $request->user()->role && $request->user()->role->slug === $role) {
                return $next($request);
         }
        return redirect('/login');
    }
}

Route:

//for student
 Route::middleware(['role:student'])->group(function () {
    Route::get('student',function(){
        return"student";
    });
});

//for teacher
 Route::middleware(['role:teacher'])->group(function () {
    Route::get('teacher',function(){
        return"teacher";
    });
});

//for admin
 Route::middleware(['role:admin'])->group(function () {
    Route::get('admin',function(){
        return"admin";
    });
});

This works fine but i want to make student and teacher route visible to admin.Admin can view all route

How can i modify my logic inside handle() method

0 likes
3 replies
7924's avatar
7924
8 years ago
Best Answer
Level 10
    public function handle($request, Closure $next,$role)
    {

        if( $request->user()->role->slug == 'admin'){
            return $next($request);
        }

        if ($request->user() && $request->user()->role && $request->user()->role->slug === $role) {
            return $next($request);
        }
        return redirect('/login');
    }
Goldoni's avatar

Hallo, RoleGate.php


namespace App\Http\Middleware;

use Closure;

class RoleGate
{
    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @return mixed
     */
    public function handle($request, Closure $next)
    {
        if ($request->user() === null) {
            return redirect()->back()->withErrors(['error' => 'Insufficient Permissions']);
        }
        $actions = $request->route()->getAction();
        $role = isset($actions['role']) ? $actions['role'] : null;

        if (($request->user()->role->slug === $role)) {
            return $next($request);
        }
        return redirect()->back()
            ->withErrors([
                'error' => 'Insufficient Permissions',
            ]);
    }
}
Goldoni's avatar

Routes.php

Route::group(['namespace' => 'student', 'prefix' => 'student', 'middleware' => 'role', 'role' => "student"], function () {
    Route::get('student', 'HomeController@index')->name('student.home');
});

Route::group(['namespace' => 'teacher', 'prefix' => 'teacher', 'middleware' => 'role', 'role' => "teacher"], function () {
    Route::get('teacher', 'HomeController@index')->name('teacher.home');
});

Route::group(['namespace' => 'admin', 'prefix' => 'admin', 'middleware' => 'role', 'role' => "admin"], function () {
    Route::get('admin', 'HomeController@index')->name('admin.home');
});

Please or to participate in this conversation.