I want to write my own middleware to check, if the current user is member of a certain grup. If yes, the user can move on to the route, if not, the user will be redirected to a different page.
My middleware is working, but I don't know how to get the current users id. I've tried the Auth::user() method, but with no success.
This is my Middleware:
namespace App\Http\Middleware;
use Closure;
use App\User;
use App\Usergroups;
use Illuminate\Http\Request;
class UserGroupMiddleware
{
/**
* Handle an incoming request.
*
* #param \Illuminate\Http\Request $request
* #param \Closure $next
* #return mixed
*/
public function handle(Request $request, Closure $next, $group = NULL)
{
$user_id = $request->user()->user_id;
$user = User::find($user_id);
$usergroup = Usergroups::find($user->benutzergruppe);
if($usergroup->slug == 'admin'){
return $next($request);
}
return redirect('/');
}
}
You have access to the currently authenticated user, if itโs been resolved. That means you need to make sure you place your group-checking middleware after the auth middleware on your route/route group:
Route::group(['middleware' => ['auth', 'in_group:group_name']], function () {
// Routes
});
You can then check a role like this:
class UserGroupMiddleware
{
public function handle(Request $request, Closure $next, $group)
{
// Check user is in specified group here
if ($request->user()->memberOf($group)) {
return $next($request);
}
// Display a 403 Forbidden error
abort(403);
}
}
Like Martin Bean said, I had to include another middleware. But in this case it wasn't the auth-middlewar. I had to include the web-middleware in my routes.php.
routes.php:
Route::group(['middleware' => ['web', 'admingroup']], function () {
Route::get('/admin', 'TestController#index');
});
UserGroupMiddleware.php:
namespace App\Http\Middleware;
use Closure;
use App\User;
use App\Usergroups;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;
class UserGroupMiddleware
{
public function handle(Request $request, Closure $next, $group = NULL)
{
if(Auth::user()){
$user_id = Auth::user()->user_id;
$user = User::find($user_id);
$usergroup = Usergroups::find($user->benutzergruppe);
if($usergroup->slug === 'admin'){
return $next($request);
}
}
abort(403, 'No Access');
}
}
Before I wrote the middleware, I ran the
php artisan make:auth
command. So all views an controlles have been created by laravel.
Important: Don't forget to register the middleware in your Kernel.php:
protected $routeMiddleware = [
'auth' => \App\Http\Middleware\Authenticate::class,
'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class,
'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class,
'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
// Custom Middleware
'admingroup' => \App\Http\Middleware\UserGroupMiddleware::class,
];
Related
I am trying to implement a simple role-based authentication system in Laravel 7, where I have an additional field on user table named 'role' of integer type, which can have two values - 0 for general users and 5 for the admins.
Any logged in user should be able to access the '/railway' page. Only admins should be able to access the '/admin' page. Admins should also be able to access the '/railway' page.
I am following this article and getting 'too many redirect' error: https://dev.to/kaperskyguru/multiple-role-based-authentication-in-laravel-30pc
Edit:
Sorry forgot to mention!
Everything is working perfectly for the non-admin users. They are being redirected to the '/railway' page after logging in alright, and also being redirected to this page if they try to access the '/admin page'.
The error is happening for the admins only. It is redirecting them to the '/admin' page after logging in alright, but showing the 'too many redirection' error. But admins can access the '/railway' page which is perfect.
Edit-3
I've added this on a git repository, if anyone is interested to reproduce the issue: https://github.com/rawhasan/laravel-auth-bug.git
Here is what I've done so far:
web.php
Route::get('/', function () {
return view('welcome');
});
Auth::routes();
Route::get('/railway', 'RailwayController#index')->name('railway');
Route::get('/admin', 'AdminController#index')->name('admin')->middleware('admin');
Middleware Admin.php
namespace App\Http\Middleware;
use Auth;
use Closure;
class Admin
{
/**
* Handle an incoming request.
*
* #param \Illuminate\Http\Request $request
* #param \Closure $next
* #return mixed
*/
public function handle($request, Closure $next)
{
if (!Auth::check()) {
return redirect()->route('login');
}
if (Auth::user()->role == 0) {
return redirect()->route('railway');
}
if (Auth::user()->role == 5) {
return redirect()->route('admin');
}
}
}
Kernel.php
protected $routeMiddleware = [
'auth' => \App\Http\Middleware\Authenticate::class,
'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class,
'bindings' => \Illuminate\Routing\Middleware\SubstituteBindings::class,
'cache.headers' => \Illuminate\Http\Middleware\SetCacheHeaders::class,
'can' => \Illuminate\Auth\Middleware\Authorize::class,
'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class,
'password.confirm' => \Illuminate\Auth\Middleware\RequirePassword::class,
'signed' => \Illuminate\Routing\Middleware\ValidateSignature::class,
'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
'verified' => \Illuminate\Auth\Middleware\EnsureEmailIsVerified::class,
'admin' => \App\Http\Middleware\Admin::class,
];
HomeController.php
namespace App\Http\Controllers;
use Illuminate\Http\Request;
class HomeController extends Controller
{
public function __construct()
{
$this->middleware('auth');
}
public function index()
{
return view('railway');
}
}
AdminController.php
namespace App\Http\Controllers;
use Illuminate\Http\Request;
class AdminController extends Controller
{
public function index()
{
return view('admin.admin');
}
}
Edit - 2
I also have this on the LoginController.php
use Auth;
class LoginController extends Controller
{
use AuthenticatesUsers;
protected $redirectTo;
public function redirectTo() {
if (Auth::user()->role = 5) {
$this->redirectTo = '/admin';
return $this->redirectTo;
} else {
$this->redirectTo = '/railway';
return $this->redirectTo;
}
}
public function __construct()
{
$this->middleware('guest')->except('logout');
}
}
Any help sorting out the issue would be appreciated!
So in both user roles it requires authentication which means you could wrap your routes under default laravel auth middleware for that:
Route::middleware(['auth'])->group(function () {
Route::get('/railway', 'RailwayController#index')->name('railway');
Route::get('/admin', 'AdminController#index')->name('admin')->middleware('admin');
});
And your middleware should look something like:
use Auth;
use Closure;
class Admin
{
/**
* Handle an incoming request.
*
* #param \Illuminate\Http\Request $request
* #param \Closure $next
* #return mixed
*/
public function handle($request, Closure $next)
{
if (Auth::user()->role == 0) {
return redirect()->route('railway');
}
if (Auth::user()->role == 5) {
return redirect()->route('admin');
}
return $next($request);
}
}
Fixed this with the help from another source. Removed the following code from the Admin Middleware and it worked perfectly:
if (Auth::user()->role == 5) {
return redirect()->route('admin');
}
Since I am redirecting the admins from the loginController, this redirect from the middleware was making the conflict.
I've also kept this code in web.php as suggested by Leo:
Route::middleware(['auth'])->group(function () {
Route::get('/railway', 'RailwayController#index')->name('railway');
Route::get('/admin', 'AdminController#index')->name('admin')->middleware('admin');
});
Thanks for the answers everyone!
Include the following value in config/admin.php file in the end of auth key. after 'remember' key.
// Redirect to the specified URI when user is not authorized.
'redirect_to' => 'auth/login',
// The URIs that should be excluded from authorization.
'excepts' => [
'auth/login',
'auth/logout',
'_handle_action_',
'auth/forgot-password',
'auth/reset-password'
],
can you help me how to create if isadmin is true it will be redirected to admin page, else home page.
AuthController
public function postLogin(Request $request){
if(!auth()->attempt(['email' => $request->email, 'password' => $request->password])){
return redirect()->back();
}
return redirect()->route('home');
}
the main reason's maybe because this
return redirect()->route('home');
when tried change to ('admin') it successfully redirecting.
when i tried to add
protected function authenticated(\Illuminate\Http\Request $request, $user)
{
if( $user->isadmin){
return redirect('admin');
}
return redirect('home');
}
it didnt works too
My approach to this situation is using middleware as #sssurii told you
I have a roles table which states normal users and admin user, and additionally I have a middleware such the following:
namespace App\Http\Middleware;
use Closure;
use Illuminate\Support\Facades\Auth;
use Illuminate\Support\Facades\Response;
class AdminMiddleware
{
/**
* Handle an incoming request.
*
* #param \Illuminate\Http\Request $request
* #param \Closure $next
* #return mixed
*/
public function handle($request, Closure $next)
{
$user = Auth::user();
if(!$user->role->title==='Admin'){
return route('user');
}
return $next($request);
}
}
Then in kernel class, I've added that middleware in routes
protected $routeMiddleware = [
....
'isAdmin' => \App\Http\Middleware\AdminMiddleware::class
];
Now you need to protect your admin routes, it is solver by
Route::group(['middleware' => ['auth', 'isAdmin'],
'prefix' => 'admin', 'as' => 'admin.'], function () {
Route::get('/home', 'Admin\HomeController#index')->name('dashboard');
.....
}
Here you have a way to filter requests to admin routes, and let get in only users that belongs to group/role Admin.
After that if you want an automatic redirect at login, you should modify redirectPath function in Auth controller (usually at app/http/controllers/auth/AuthController.php)
public function redirectPath()
{
if (\Auth::user()->role->title === 'Admin') {
return redirect()->route('admin.dashboard');
}
return redirect()->route('user.dashboard');
}
I suggest creating a middleware and using it to protect the route
Example, you can create an Admin middleware
php artisan make:middleware Admin
In App\Http\Middleware\Admin.php
use Auth;
use Session;
use Closure;
public function handle($request, Closure $next)
{
// Check if user has permission to access route
if(!Auth::user()->admin) {
Session::flash('info', 'You do not have permission to perform this operation!');
return redirect()->back();
}
return $next($request);
}
Then in the protected route(assuming only your admin can view all posts in this route),
Route::post('admin/post/index', 'PostController#index')->middleware('auth');
Or in the controller
public function __construct()
{
$this->middleware('auth');
}
Use except to exclude routes or only to include methods.
In the kernel.php
protected $routeMiddleware = [
...
'admin' => \App\Http\Middleware\Admin::class
];
I'm new to Laravel, so here I want to make a view for login and register, and then I change the default view login and register into my own view, I changed it in the route and then it work, and then I try to run this code: php artisan ui:auth and then my login view before, it changes to the default view of Laravel. How to change it again into my login and view design ? Thank you.
This is my route web.php:
<?php
/*
|--------------------------------------------------------------------------
| Web Routes
|--------------------------------------------------------------------------
|
| Here is where you can register web routes for your application. These
| routes are loaded by the RouteServiceProvider within a group which
| contains the "web" middleware group. Now create something great!
|
*/
Route::get('/', function () {
return view('pages/home');
});
Route::get('/register','Auth\AuthController#register');
Route::post('/register','Auth\AuthController#postRegister')->name('register');
Route::get('/login','AuthController#login');
Route::post('/login','AuthController#postLogin')->name('login');
and this is my AuthController
<?php
namespace App\Http\Controllers\Auth;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\DB;
use App\User;
use App\Http\Controllers\Controller;
use Illuminate\Support\Facades\Auth;
use Laravel\Socialite\Facades\Socialite;
class AuthController extends Controller
{
public function register()
{
return view('login_register/register');
}
public function postRegister(Request $request )
{
User::create([
'name'=> $request->nama,
'email'=> $request->email,
'password'=> bcrypt($request->password)
]);
return redirect('/login');
}
public function login()
{
return view('login_register/login');
}
public function postLogin(Request $request)
{
if(!\Auth::attempt(['email' => $request->email, 'password' => $request->password ])){
return redirect()->back();
}
return redirect('/galangdana/list');
}
public function redirectToProvider($provider)
{
return Socialite::driver($provider)->redirect();
}
/**
* Obtain the user information from provider. Check if the user already exists in our
* database by looking up their provider_id in the database.
* If the user exists, log them in. Otherwise, create a new user then log them in. After that
* redirect them to the authenticated users homepage.
*
* #return Response
*/
public function handleProviderCallback($provider)
{
$user = Socialite::driver($provider)->user();
$authUser = $this->findOrCreateUser($user, $provider);
Auth::login($authUser, true);
return redirect('/');
}
/**
* If a user has registered before using social auth, return the user
* else, create a new user object.
* #param $user Socialite user object
* #param $provider Social auth provider
* #return User
*/
public function findOrCreateUser($user, $provider)
{
$authUser = User::where('provider_id', $user->id)->first();
if ($authUser) {
return $authUser;
}
else{
$data = User::create([
'name' => $user->name,
'email' => !empty($user->email)? $user->email : '' ,
'provider' => $provider,
'provider_id' => $user->id
]);
return $data;
}
}
}
?>
You can override the showLoginForm() method, in you LoginController.php:
public function showLoginForm()
{
return view('my.view');
}
It overrides the function showLoginForm defined in the trait Illuminate\Foundation\Auth\AuthenticatesUsers.
For registration, you showRegistrationForm method, defined in Illuminate\Foundation\Auth\RegistersUsers trait:
public function showRegistrationForm()
{
return view('my.register.view');
}
Hope it helps.
solved, that becasue i put Auth::routes() so that make multiple login, thank you for the answer ๐
In my application I have three user roles:
user
editor
admin
When editor logs into the admin section, some of the sections are hidden (users manage, system information etc.) and of course, the admin can see everything.
So, for this purpose I've created two middleware: Admin and Editor. This is the code.
Admin middleware.
<?php
namespace App\Http\Middleware;
use Illuminate\Support\Facades\Auth;
use Closure;
class Admin
{
/**
* Handle an incoming request.
*
* #param \Illuminate\Http\Request $request
* #param \Closure $next
* #return mixed
*/
public function handle($request, Closure $next)
{
if(Auth::check()) {
if(Auth::user()->role_id == 3) {
return $next($request);
}
}
return redirect('/');
}
}
Editor middleware:
<?php
namespace App\Http\Middleware;
use Illuminate\Support\Facades\Auth;
use Closure;
class Editor
{
/**
* Handle an incoming request.
*
* #param \Illuminate\Http\Request $request
* #param \Closure $next
* #return mixed
*/
public function handle($request, Closure $next)
{
if(Auth::check()) {
if(Auth::user()->role_id == 2) {
return $next($request);
}
}
return redirect('/');
}
}
Here's the part of the Kernel:
protected $routeMiddleware = [
'admin' => \App\Http\Middleware\Admin::class,
'editor' => \App\Http\Middleware\Editor::class,
];
Now I'm trying to build the routes that will be available to those user roles.
If I do it only for the admin or the editor, it works fine, but when I combine them, the one user can login and the other cannot.
Here's the code only for the admin and it works fine.
Route::middleware('admin')->group(function(){
Route::get('/admin', 'PagesController#adminIndex');
Route::resource('/admin/pages', 'PagesController');
Route::resource('/admin/news', 'NewsController');
Route::resource('/admin/users', 'UsersController');
...
});
I've tried to combine them with this code, but it's not working (cannot login into the admin section at all):
Route::middleware(['admin', 'editor'])->group(function(){
Route::get('/admin', 'PagesController#adminIndex');
Route::resource('/admin/pages', 'PagesController');
Route::resource('/admin/news', 'NewsController');
Route::resource('/admin/users', 'UsersController');
...
});
How can I solve this problem?
P.S. Later I want to build a logic for the User role too, so there's must a way to combine the routes.
You can solve the problem with help of Middleware Parameters and instead of several middlewares for each role use only one universal middleware with roles as parameters.
For example:
protected $routeMiddleware = [
'checkRole' => \App\Http\Middleware\CheckRole::class,
];
Middleware:
<?php
namespace App\Http\Middleware;
use Illuminate\Support\Facades\Auth;
use Closure;
class CheckRole
{
public function handle($request, Closure $next, ...$roles)
{
$roleIds = ['user' => 1, 'editor' => 2, 'admin' => 3];
$allowedRoleIds = [];
foreach ($roles as $role)
{
if(isset($roleIds[$role]))
{
$allowedRoleIds[] = $roleIds[$role];
}
}
$allowedRoleIds = array_unique($allowedRoleIds);
if(Auth::check()) {
if(in_array(Auth::user()->role_id, $allowedRoleIds)) {
return $next($request);
}
}
return redirect('/');
}
}
Routes:
Route::middleware(['checkRole:admin,editor'])->group(function(){
//Your routes
});
It should be like below.
Route::middleware(['auth'])->group(function(){
//common routes will goes here
Route::middleware(['admin'])->group(function(){//admin routes will goes here
Route::get('/admin', 'PagesController#adminIndex');
Route::resource('/admin/pages', 'PagesController');
Route::resource('/admin/news', 'NewsController');
Route::resource('/admin/users', 'UsersController');
});
Route::middleware(['editor'])->group(function(){
//editor routes goes here.
});
});
The problem is that your middleware(['admin', 'editor']) is checking the both roles i.e. admin,editor for user and you have only one role for user. That is reason why it is not working
There are great packages out there for managing the user roles which are easy to use . I suggest you to use Spatie Laravel Permission if you want tutorials on it watch Bitfumes Video
It was successfuly protected, it will redirect back to the login page when the user try to type /dasboard to the URL. but the problem is, I cant access my dashboard even I input the correct email and password..
this my userController.php file
<?php
namespace App\Http\Controllers;
use App\User;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;
class userController extends Controller
{
public function getDashBoard()
{
return view('dashboard');
}
public function login(Request $request)
{
$this->validate($request, [
'email'=> 'required',
'password'=> 'required'
]);
if(Auth::attempt(['email'=> $request['email'], 'password'=> $request['password']])){
return redirect()->route('dashboard');
}
return redirect()->back();
}
}
this my routes.php file
Route::group(['middleware' => ['web']], function () {
Route::get('/', function() {
return view('login');
})->name('home');
Route::get('/dashboard', [
'uses'=> 'userController#getDashBoard',
'as'=> 'dashboard'
'middleware' => 'auth'
]);
});
and this my Authenticate.php file
<?php
namespace App\Http\Middleware;
use Closure;
use Illuminate\Support\Facades\Auth;
class Authenticate
{
/**
* Handle an incoming request.
*
* #param \Illuminate\Http\Request $request
* #param \Closure $next
* #param string|null $guard
* #return mixed
*/
public function handle($request, Closure $next, $guard = null)
{
if (Auth::guard($guard)->guest()) {
if ($request->ajax() || $request->wantsJson()) {
return response('Unauthorized.', 401);
} else {
return redirect()->route('home');
}
}
return $next($request);
}
}
I need help. I'am new in this laravel 5.2 framework. better if you edit my code so that I could understand and know my mistake..
Thank you for understanding. Slow learner here..
According to the code provided there doesn't seem to be a getDashBoard method within your UserController. Your 'dashboard' route is pointing to a method that doesn't exist.
I dont know why, but when I turn off the machine to take a sleep. And then turn on the machine again. When I run my application it was suddenly fix.. hmmmm...