Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

orest's avatar
orest
OP
4 years ago
Level 13

middleware and authorisation

I want to restrict users that have not verified their email, from creating threads.

Should I add

  • a middleware, to prevent users from have access to the thread form
Route::get('/threads/create', 'ThreadController@create')->middleware('verified');
  • And also authorise who can create threads
ThreadController
{
     public function store()
     {
               $this->authorize('create-thread');
      }
}
 Gate::define('create-thread', function (User $user) {
        return $user->hasVefiriedEmail();
    });

Or it does not make sense to have both middleware and a gate ?

0 likes
4 replies
Snapey's avatar

If its just this instance, I would just check so that you can return an appropriate message.

But first, why show them the button or link to create a thread?

In the controller,

public function store()
{
	if(!Auth::user()->verified) {
		return redirect()->back->withError('I\'m really sorry you typed that long response, but you need to verify your address first');
    }
1 like
orest's avatar
orest
OP
4 years ago
Level 13

@Snapey i do hide the button , but the form can still be accessed if you just put the path in the url like

example.com/threads/create

Should i let the users access the form, even if they have to manually enter the path in the url ?

Or i should add a middleware to prevent them from accessing the form even by entering the path in the url manually ? And then also have the code that you posted.

Does it make sense to have both middleware and authorisation ? this was my question

public function store()
{
	if(!Auth::user()->verified) {
		return redirect()->back->withError('I\'m really sorry you typed that long response, but you need to verify your address first');
    }
Snapey's avatar

@orest and my answer was ... neither

suppose they access that route, do you want them to see 403 | Unauthorised or a friendly message ?

If you had this in lot's of places then the answer would be different

orest's avatar
orest
OP
4 years ago
Level 13

@Snapey i do have it in different places.

Basically when users have not confirmed their email, i want to restrict access to several routes.

Right now i use policies, users can access the routes, and for each case i have a different authorisation message when they try to "create a thread" for example, but i don't return back with error like the example code you provided above.

Please or to participate in this conversation.