Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Can we prevent roles to access other's role pages.
Currently i have 3 roles like super-admin, admin and employee.
but when i am in super-admin role i can easily access the employee pages how can i prevent this.
For example
for admin and super-admin .
http://localhost/attendance/en/users/4
for employee
http://localhost/attendance/en/personal/profile/view
i can easily access both URL, i want to prevent this and keep only the same role can access this page.
I am using spatie library for roles and permission.
Well, you could always just put a big sign on the employee page that says "No Super-Admins Allowed!" That should do the trick. Or, if you want to get a bit more technical, you could use something like this:
if (auth()->user()->hasRole('super-admin')) {
abort(403, 'No Super-Admins Allowed!');
}
How do you manage the roles ? Do you use a package like the Spatie roles and permissions ? Or via a simple table in the database ?
The logic you can do is to protect the routes with middlewares.
For example you can create an AdminMiddleware.
class AdminMiddleware
{
/**
* Handle an incoming request.
*
* @param \Illuminate\Http\Request $request
* @param \Closure(\Illuminate\Http\Request): (\Illuminate\Http\Response|\Illuminate\Http\RedirectResponse) $next
* @return \Illuminate\Http\Response|\Illuminate\Http\RedirectResponse
*/
public function handle(Request $request, Closure $next)
{
if (!auth()->user()->isAdmin()) {
return redirect()->route('member.recipes');
}
return $next($request);
}
}
Then you register your middleware in the Kernel file.
protected $routeMiddleware = [
'admin' => \App\Http\Middleware\AdminMiddleware::class,
...
];
And you can use it to protect some routes.
Route::middleware('auth')->group(function () {
Route::middleware('admin')->name('admin.')->prefix('admin')->group(function () {
Route::get('categories', CategoriesList::class)->name('categories');
Route::get('products', ProductsList::class)->name('products');
...
});
});
You can also choose another approach which consist to protect only some methods in the controllers.
https://laravel.com/docs/10.x/controllers#controller-middleware
Apply authorization as needed, from another previous answer:
Bob is an admin
Suzy is admin and does bookkeeping
Mary is a bookkeeper only
If Bob is logged in, Bob can only do admin stuff and all access to user stuff. But Bob cannot mess with bookkeeping.
If Suzy is logged in she can access admin stuff and bookkeeping and accounting stuff.
If Mary is logged in she cannot mess with admin stuff, but has access to bookkeeping and accounting stuff.
So I just check at method level if the logged in users role can or cannot access that method / function.
And use query scopes to let a user edit / view their own data or an admin can access all users data.
Each app will be different as to who can do what.
public function makeInvoice()
{
if (a required role of bkeep is not true here) { // bkeep = bookkeeper
return redirect('somewhere'); // whereever you redirect to if not authorized
}
// Rest of method here is accomplished if
// the logged in user has the required role of 'bkeep'.
}
Again just examples.
Also a Spatie example I saw:
public function update(Request $request, Post $post) {
if ($post->author !== auth()->user()->id || auth()->user()->cannot('edit posts'))
abort(404);// or redirect, or whatever action
}
//rest of method if all okay
}
Each application will require unique tweaks in RBAC, no two apps are exactly the same.
Adjust your queries as to who can see and edit certain things.
Please or to participate in this conversation.