Hi martinbean, thanks for your help and sorry for the detour.
Here is exactly how routes are registered in my project.
bootstrap/app.php
return Application::configure(basePath: dirname(__DIR__))
->withRouting(
web: __DIR__.'/../routes/web.php',
api: __DIR__.'/../routes/api.php',
commands: __DIR__.'/../routes/console.php',
health: '/up',
)
->withMiddleware(function (Middleware $middleware): void {
$middleware->alias([
'admin' => EnsureUserIsAdminOrManager::class,
'admin-only' => EnsureUserIsAdmin::class,
]);
})
->withExceptions(function (Exceptions $exceptions): void {
$exceptions->shouldRenderJsonWhen(
fn (Request $request) => $request->is('api/*'),
);
})->create();
routes/web.php
Route::get('/', PageController::class)->name('public.page');
Route::post('/', PageController::class)->name('public.select');
Route::get('/open-tabs', OpenTabsController::class)->name('public.open-tabs');
Route::get('/dashboard', function () {
return redirect('organisms');
})->middleware(['auth', 'admin'])->name('dashboard');
Route::middleware('auth')->group(function () {
Route::get('/profile', [ProfileController::class, 'edit'])->name('profile.edit');
Route::patch('/profile', [ProfileController::class, 'update'])->name('profile.update');
Route::delete('/profile', [ProfileController::class, 'destroy'])->name('profile.destroy');
});
Route::middleware(['auth', 'admin'])->group(function () {
Route::get('/statistics', [StatisticController::class, 'index'])->name('statistics.index');
Route::post('organisms/{organism}/move-up', [OrganismController::class, 'moveUp'])->name('organisms.move-up');
Route::post('organisms/{organism}/move-down', [OrganismController::class, 'moveDown'])->name('organisms.move-down');
Route::resource('organisms', OrganismController::class)->only(['index', 'create', 'store', 'edit', 'update', 'destroy']);
});
Route::middleware(['auth', 'admin-only'])->group(function () {
Route::resource('users', UserController::class)->only(['index', 'create', 'store', 'edit', 'update', 'destroy']);
});
require __DIR__.'/auth.php';
routes/auth.php
Route::middleware('guest')->group(function () {
Route::get('login', [AuthenticatedSessionController::class, 'create'])->name('login');
Route::post('login', [AuthenticatedSessionController::class, 'store']);
Route::get('forgot-password', [PasswordResetLinkController::class, 'create'])->name('password.request');
Route::post('forgot-password', [PasswordResetLinkController::class, 'store'])->name('password.email');
Route::get('reset-password/{token}', [NewPasswordController::class, 'create'])->name('password.reset');
Route::post('reset-password', [NewPasswordController::class, 'store'])->name('password.store');
});
Route::middleware('auth')->group(function () {
Route::get('confirm-password', [ConfirmablePasswordController::class, 'show'])->name('password.confirm');
Route::post('confirm-password', [ConfirmablePasswordController::class, 'store']);
Route::put('password', [PasswordController::class, 'update'])->name('password.update');
Route::post('logout', [AuthenticatedSessionController::class, 'destroy'])->name('logout');
});
If you spot anything suspicious here, I'd really appreciate the insight. Thanks!