Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

a.verrecchia's avatar

How to test middleware restrictions for user status (active, pending, disabled) in Laravel API

Hi all,

I’m working on a Laravel API and I’m writing PHPUnit feature tests to validate access control via middleware based on the authenticated user’s status.

In my case, users can have only 3 possible statuses:

  1. active → full access to all routes
  2. pending_verification → restricted access, only a few routes allowed
  3. disabled → almost everything blocked

Now, I want to make sure that:

  1. pending users can only access 4 specific routes (e.g. /verify, /resend, etc.)
  2. disabled users are basically blocked from everything (except maybe one route like /support)
  3. active users can access all routes without issues

Thanks in advance! Open to ideas, best practices, or even packages that could help!

0 likes
4 replies
krisi_gjika's avatar

not sure what you want to achieve? did you create tests like: TestPendingUsersCanVerifyEmail, TestDisabledUsersCanContactSupport?

a.verrecchia's avatar

@krisi_gjika I’m trying to write tests for each user status (active, pending_verification, disabled) to make sure they can only access the routes they’re allowed to. For example, a pending user should be able to access /verify or /resend, but should be blocked from all other routes.

My issue is: I’m not sure how to write a test that automatically checks all the other routes the user is not allowed to access, without having to manually list them all. Any suggestions on how to structure this kind of test?

krisi_gjika's avatar

@a.verrecchia I think rather than trying to check every route in one test, you should test the rest as normal. Example when testing if user can make posts, also test that pending users can't make posts

1 like
JussiMannisto's avatar

I'd just manually list all testable routes and the exception cases. You could get all routes using Route::getRoutes() and manually list only the exceptions, but that has some drawbacks.

Firstly, you have to consider routes registered by the framework or packages, like the health check route and routes from Telescope, Debugbar, Pulse, etc.

Secondly, if your app ever gets any routes with parameters or model bindings, this automation will fail. Whoever is adding the route has to stop what they're doing and rewrite this test.

I think it's better to be explicit with the test cases.

Please or to participate in this conversation.