routes restrictions based on user_roles table

hello im using this on blade to see who is trying to fill a form

<input type="text" name="email" class="form-control" value="{{ session('email') }}" readonly autocomplete="on">

but on my routes im not being able to restrict based on a middleware:

  Route::group(['middleware' => ['role:Supervisor']], function () {
        // Define routes for the supervisor role...
    });

this is the CheckUserRole middleware:

 if (Auth::check()) {
            // Retrieve the user's role from the user_roles table
            $user = Auth::user();
            $userRole = DB::table('user_roles')->where('email', $user->email)->value('role');

            // Check if the user's role is one of the allowed roles
            if (in_array($userRole, $roles)) {
                return $next($request);
            }
        }

martinbean

1 year ago

Level 80

@peterpan26 You should not be passing an email address and then doing authentication or authorisation based on that. That value can be manipulated by the user before submission.

You should instead be checking the user in your middleware and controllers. You even fetch the authenticated user in your middleware:

$user = Auth::user();

So why do you think you need the user to submit their email address to check roles? You just need to fetch the roles for the authenticated user, and check they have the required role:

$user = Auth::user();
$userRoles = $user->roles()->get(); // Get roles for user via roles relation

// Check user has required role for current request...

peterpan26

1 year ago

Level 1

because im not granted access to users table and i bind the login details if success logs in if not it doesnt.

Please or to participate in this conversation.