Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Hi,
Quick question please.
If you use Spattie roles/permissions and add this in every controller:
public function __construct()
{
$this->middleware('permission:games view', ['only' => ['index', '']]);
$this->middleware('permission:games add', ['only' => ['']]);
$this->middleware('permission:games update', ['only' => ['update']]);
$this->middleware('permission:games delete', ['only' => ['']]);
}
I did not add all the methods above as it is just an example.
My question is, if you create a ROLE/PERMISSIONS CRUD, would you still protect routes as, based on each role, the user has the permission to access such and such resources. But, before adding the roles/permissions via a CRUD and controllers, I have the below middleware setup.
Route::group(['middleware' => ['role:admin|user|follower']], function () {
//Controllers here
});
Shall I remove this middleware from the web.php file?
I am a bit stuck on this one because if you think about it, the role middleware is not needed if already added to all the controllers.....or shall I leave it for security purpose(in case I forget to add the roles within a controller)?
I would love yo hear from your own experience on this please.
Thanks,
@user1980 The truth is you have flexibility here and having the same protection in two places doesn't hurt anything. Generally I prefer to have middleware protection specified in the route files. I just feel like it is easier to see/understand that way. ...but the same argument could be made that having it in the controller is "cleaner" and more tucked away. As I said, my personal preference is to just have these things in the route files. Hope that helps!
it depends how granular you need it
for instance, I might have admin role middleware wrapping a resource route, but only someone with delete permission can execute the destroy function on the controller
That's an interesting consideration I wasn't thinking about initially. Even with resource routes you have the choice to unwind those and add middleware to each route... annnnd... these are the type of code style guide decisions that kill our souls. lol
Thank you to both of you and this is why I preferred to ask as I am a single developer(not full time) and may sometimes do something(for years) and find out through an experienced developer that it was wrong all the way.
At the moment with the app I am building, only the super-admin has access to most "destroy" methods so I think I will be able to stick to the old role/permission CRUD and keep it that way.
But I also like to have my routes organised with groups like you too...I see the point there.
Something that would have been really cool is, perhaps in "telescope", have a table that associates all the resources-access per role all at once in a page. Something well organised.
Please or to participate in this conversation.