November 18, 2017

Restrict Access to Admins In Laravel

I wanted to be able to have users and admins use the same login form and the admins have the same access as the users but with certain parts of the site only for admins without having to create a new table in the database as well.

Edit Database Migration

Firstly we are going to modify the current users table and and add some code to made this work.

We are going to modify the database migration file and add check_admin column. If check_admin column is true it would allow the user access to admin only page, if check_admin had a value of false it would redirect the user.

increments('id'); $table->string('email')->unique(); $table->string('username')->unique(); $table->boolean('check_admin')->default('false'); $table->string('password'); $table->rememberToken(); $table->timestamps(); }); } /** * Reverse the migrations. * * @return void */ public function down() { Schema::dropIfExists('users'); } } # Create Middleware Now we need to create the middleware and it’s very easy to do using php artisan make:middleware CheckPermission. This will create a file in \app\Http\Middleware. We then add some code as you can see below within the handle function to check if the user is a admin, if so we allow the user access to the page, if not we redirect. guest()) { if ($request->ajax()) { return response('Unauthorized.', 401); } else { return redirect()->guest('login'); } } else if (!Auth::guard($guard)->user()->check_admin) { return redirect()->to('/')->withError('Denied Access'); } return $next($request); } } # Adding Code To The Kernal To made this work we need to add our middleware to the kernal right under the default web group. You will find the kernal file in App\Http [ \App\Http\Middleware\EncryptCookies::class, \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class, \Illuminate\Session\Middleware\StartSession::class, // \Illuminate\Session\Middleware\AuthenticateSession::class, \Illuminate\View\Middleware\ShareErrorsFromSession::class, \App\Http\Middleware\VerifyCsrfToken::class, \Illuminate\Routing\Middleware\SubstituteBindings::class, ], 'admin' => [ \App\Http\Middleware\EncryptCookies::class, \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class, \Illuminate\Session\Middleware\StartSession::class, \Illuminate\View\Middleware\ShareErrorsFromSession::class, \App\Http\Middleware\VerifyCsrfToken::class, \App\Http\Middleware\CheckPermission::class, ], 'api' => [ 'throttle:60,1', 'bindings', ], ]; /** * The application's route middleware. * * These middleware may be assigned to groups or used individually. * * @var array */ protected $routeMiddleware = [ 'auth' => \Illuminate\Auth\Middleware\Authenticate::class, 'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class, 'bindings' => \Illuminate\Routing\Middleware\SubstituteBindings::class, 'can' => \Illuminate\Auth\Middleware\Authorize::class, 'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class, 'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class, ]; } # How To Use Now admins should only be able to access the example page below, if you want to only allow admins access a certain page you can add ->middleware(‘admin’); to the end of the route. Route::get ( '/admin_page', 'AdminController@admin_page')->name('admin_page')->middleware('admin');
  • LinkedIn
  • Tumblr
  • Reddit
  • Google+
  • Pinterest
  • Pocket