In one of the previous lessons, we protected the products page from unauthenticated users. Now, in this lesson, let's talk about authorization access by roles, whether the user is an administrator or not.
The Laravel Code
First, we create a migration to add a new field, is_admin to the users table.
php artisan make:migration "add is admin to users table"database/migrations/xxx_add_is_admin_to_users_table.php:
public function up(): void{ Schema::table('users', function (Blueprint $table) { $table->boolean('is_admin')->default(false); });}app/Models/User.php:
class User extends Authenticatable{ // ... protected $fillable = [ 'name', 'email', 'password', 'is_admin', ]; // ...}And then, in the products list, we restrict the create button.
resources/views/products/index.blade.php:
// ...<div class="min-w-full align-middle"> @if (auth()->user()->is_admin) <a href="{{ route('products.create') }}" class="..."> Add new product </a> @endif <table class="min-w-full divide-y divide-gray-200 border">// ...This is a protection on the front-end. But, of course, we must protect it on the back-end, too. For this, let's create a Middleware.
php artisan make:middleware IsAdminMiddlewareapp/Http/Middleware/IsAdminMiddleware.php:
class IsAdminMiddleware{ public function handle(Request $request, Closure $next): Response { if (! auth()->user()->is_admin) { abort(403); } return $next($request); }}We need to register the Middleware with an alias. Here's the Laravel 11+ syntax for it.
bootstrap/app.php:
return Application::configure(basePath: dirname(__DIR__)) ->withRouting( web: __DIR__.'/../routes/web.php', commands: __DIR__.'/../routes/console.php', health: '/up', ) ->withMiddleware(function (Middleware $middleware) { $middleware->alias([ 'is_admin' => \App\Http\Middleware\IsAdminMiddleware::class, ]); }) ->withExceptions(function (Exceptions $exceptions) { // })->create();For Laravel 10 Middleware is registered in the app/Http/Kernel.php.
app/Http/Kernel.php:
class Kernel extends HttpKernel{ // ... protected $routeMiddleware = [ 'auth' => \App\Http\Middleware\Authenticate::class, 'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class, 'auth.session' => \Illuminate\Session\Middleware\AuthenticateSession::class, 'cache.headers' => \Illuminate\Http\Middleware\SetCacheHeaders::class, 'can' => \Illuminate\Auth\Middleware\Authorize::class, 'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class, 'password.confirm' => \Illuminate\Auth\Middleware\RequirePassword::class, 'signed' => \Illuminate\Routing\Middleware\ValidateSignature::class, 'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class, 'verified' => \Illuminate\Auth\Middleware\EnsureEmailIsVerified::class, 'is_admin' => \App\Http\Middleware\IsAdminMiddleware::class, ];}Now, we can use this Middleware in the routes. We will separate routes from the resource. One Route group is for...