Laravel how to add middleware to controller with multiple roles? - php

What I want to achieve is that the EventController's functions/ methods should be available for role:organizer, and only the view() method [URL: /events/{id}] from the same controller should also be available to role:artist.
I've tried to implement that by creating the following middleware to check for the logged-in user's role:
class UserRole
{
/**
* Handle an incoming request.
*
* #param Request $request
* #param \Closure(\Illuminate\Http\Request): (\Illuminate\Http\Response|\Illuminate\Http\RedirectResponse) $next
* #return Application|JsonResponse|RedirectResponse|Redirector
*/
public function handle(Request $request, Closure $next, ...$roles)
{
if ($request->expectsJson()) {
return response()->json(['error' => 'Unauthenticated.'], 401);
}
if (!Auth::check()) {
return redirect(RouteServiceProvider::HOME);
}
if (in_array(strtolower(Auth::user()->type), $roles)) {
return $next($request);
}
return redirect('/login');
}
}
Then in my EventController, I have assigned the following middlewares in the constructor:
public function __construct()
{
$this->middleware(['auth', 'verified', 'onboarding', 'role:organizer']);
$this->middleware(['role:artist,organizer'])->only('view');
}
When I run php artisan route:list - I get the list as I want it to be, only events/{id} has both the organizer and artist role
However when I log in with user artist and try to access localhost/events/10 - I get redirected to the /login screen, but when I try to access the same URL with a role organizer it works..
Is there any suggestion on how to make it work? If there's something you don't understand let me know and I'll help you!

The problem is that you have attached the middleware to view endpoint with 'role:organizer' twice in the first time it only check is user has role organizer and it doing redirect and it's not going check the second time so to exclude this behavior you should attache middlewares like this
$this->middleware(['auth', 'verified', 'onboarding']);
$this->middleware(['role:artist,organizer'])->only('view');
$this->middleware('role:organizer')->except('view');// because it already added above

Related

Laravel 8 + Jetsream: How to Redirect to Prior Page After Login?

I have a basic web page where I want the user to be able to click the login link, go through the login, and then be returned to that page (not the home page). The page has some features that can only be seen when the user is logged in.
I am having trouble with this, no matter what when I go to login it returns to the home page after authentication or whatever I have set as the constant, not the prior page.
Fortify.php has a home path that is a constant, so I can't update that with an expression either...
'home' => RouteServiceProvider::HOME,
Here is the middleware RedirectIfAuthenticated.php, it is the standard Laravel and I'm wondering what would need to be updated.
<?php
namespace App\Http\Middleware;
use App\Providers\RouteServiceProvider;
use Closure;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;
class RedirectIfAuthenticated
{
/**
* Handle an incoming request.
*
* #param \Illuminate\Http\Request $request
* #param \Closure $next
* #param string|null ...$guards
* #return mixed
*/
public function handle(Request $request, Closure $next, ...$guards)
{
$guards = empty($guards) ? [null] : $guards;
foreach ($guards as $guard) {
if (Auth::guard($guard)->check()) {
return redirect(RouteServiceProvider::HOME);
}
}
return $next($request);
}
}
I should note too, that if I add a middleware route to the page, as in the below example, then the process works correctly as far as returning the user back to the prior page.
Route::middleware(['auth:sanctum', 'verified'])->get('/agenda', function () {
return view('agenda');
})->name('agenda');
However, I need the user to be able to view the agenda page, even if they are a guest... but, once logged in, they will be returned to the agenda page which will have some additional features. I can't seem to find in the documentation anything about this, unfortunately.
In AuthenticatesUsers.php
protected function sendLoginResponse(Request $request)
{
$request->session()->regenerate();
$this->clearLoginAttempts($request);
if ($response = $this->authenticated($request, $this->guard()->user())) {
return $response;
}
return $request->wantsJson()
? new JsonResponse([], 204)
: redirect()->back();
}
Or You Can Do this in Your Default Login Controller in Line 31
protected $redirectTo = "/your-path";
When the auth middleware detects an unauthenticated user, it will redirect the user to the login named route. You may modify this behavior by updating the redirectTo function in your application's app/Http/Middleware/Authenticate.php file
https://laravel.com/docs/8.x/authentication#redirecting-unauthenticated-users

Laravel, first user is only user

I am building a Laravel site for personal use and I would like to make the first user to register on the site be the only user. So with a fresh Laravel install with the ui installed, migration sorted and no users registered, I would like the register route to be reachable. But if there is a registered user, block the register route and only allow the login route to be reachable.
I could do something like this in the web.php
Route:get('/register', function () {...})->auth();
But I would have to do that after I first create a user. I'd rather do it in a more controllable fashion.
Edit
I don't doubt that #yves-kipondo's answer is the more correct option if I were to create this for someone else.
The solution I went with is a simple one. In my register controller I just add a check in the constructor, if there already is a user return a 404.
public function __construct() {
if (!User::all()) {
$this->middleware('guest');
} else {
abort(404);
}
}
You can create a Middleware which will be register on the register route
<?php
namespace App\Http\Middleware;
use Closure;
class RegisterOnce
{
/**
* Handle an incoming request.
*
* #param \Illuminate\Http\Request $request
* #param \Closure $next
* #return mixed
*/
public function handle($request, Closure $next)
{
if (User::count() !== 0) {
// you can redirect wherever you want
return redirect('home');
}
return $next($request);
}
}
After that you can register the middleware in the app/Http/Kernel.php by adding this line after all registered routes middleware like this
protected $routeMiddleware = [
\\ ... previous registered middleware
'once' => App\Http\Middleware\RegisterOnce::class,
];
and you can customize the register route like this in the routes/web.php file
which wille replace the default set by Auth::routes();
Route::get('register', [App\Controllers\Auth\RegisterController::class, 'showRegistrationForm'])
->name('register')
->middleware('once');

Restricting Pages to Admins - Laravel

I am having a tutorial on how to restrict pages to admins. In my RedirectIfAuthenticated.php, this is how my code looks like
public function handle($request, Closure $next, $guard = null)
{
if (!Auth::guard($guard)->check()) {
// return redirect('/login');
} else {
$user = Auth::user();
if($user->hasRole('manager')) {
return redirect('admin/home');
} else {
return redirect('/home');
}
}
return $next($request);
}
After i login, i am routed to the respective pages but the issue is, i can still route to the admin page even tho i login as a member and not manager. When i place localhost/admin/home, i am still routed to that page although i am not a manager. What am i missing out?
You are able to access the manager url after login because your code only redirects each user to their appropriate url's but does'nt do any other check after the users are logged in. You can accomplish this by creating a middleware to check for each user type and redirect them to their appropriate pages and attach this middleware to your desired routes.
In your terminal, run php artisan make:middleware AdminMiddleware to create a middleware Note: the AdminMiddleware is a name of my choosing and can be changed.
This creates a middleware in the app\Middlewares directory. edit the contents to look like this..
<?php
namespace App\Http\Middleware;
use Closure;
class AdminMiddleware
{
/**
* Handle an incoming request.
*
* #param \Illuminate\Http\Request $request
* #param \Closure $next
* #return mixed
*/
public function handle($request, Closure $next)
{
$user = Auth::user();
if(!$user->hasRole('manager'))
{
//you can throw a 401 unauthorized error here instead of redirecting back
return redirect()->back(); //this redirects all non-admins back to their previous url's
}
return $next($request);
}
}
Then go to the app/Http/Kernel.php file and add the following to the $routeMiddleware array.
'admin' => \App\Http\Middleware\AdminMiddleware::class,
Now you can attach the admin middleware to any route which you would like only managers to access.

How to add custom middleware inside a Route group in laravel

I have a Route group in laravel which has middleware of auth
Route::group(['middleware'=>'auth', function()
{
//Routes
});
Now these routes are only available to logged in users. I have a situation that logged in users have privileges. I have some routes that are only to be visited by logged in users AND if they have privilege of OWNER
In function I have started a session and stored privilege value.
I did something like this
Route::group(['middleware'=>'auth', function()
{
//Routes
if(session::get('privilege')
{
//Routes
}
});
This isn't working neither it's appropriate method. Can anyone tell me how add middleware inside a middleware?
There should be no logic inside your routes file(s) - these should simply define routes and nothing else. What you should do is define middleware which verifies privileges/roles your user has, you can specify parameters which are passed to the middleware like this:
Route::group(['middleware' => 'auth', function() {
Route::get('/my-route', 'Controller#method')->middleware('role:some_role');
Route::get('/my-other-route', 'Controller#otherMethod')->middleware('role:some_other_role');
});
Then in your middleware, you can access that parameter via a third argument in the handle method. With that value, you could verify the privileged/role the user has and then decide if the user should access that route:
public function handle($request, Closure $next, $role)
{
// Do something with $role
return $next($request);
}
If you're unsure about defining your own custom middleware, check out the docs here: https://laravel.com/docs/middleware
You will need to create a custom middleware called OWNER
php artisan make:middleware Owner
Will create a middleware file for you.
Then in the public function called handle u can do something like
if (Auth::user()->privilege == "OWNER") {
return $next($request);
}
return redirect('home');
So at the end your custom middleware will look something like this:
<?php
namespace App\Http\Middleware;
use Closure;
class Owner
{
/**
* Handle an incoming request.
*
* #param \Illuminate\Http\Request $request
* #param \Closure $next
* #return mixed
*/
public function handle($request, Closure $next)
{
if (Auth::user()->privilege == "OWNER") {
return $next($request);
}
return redirect('home');
}
}
More about Laravel Middelware here

How to change default redirect URL of Laravel 5 Auth filter?

By default if I am not logged and I try visit this in browser:
http://localhost:8000/home
It redirect me to http://localhost:8000/auth/login
How can I change to redirect me to http://localhost:8000/login
I wanted to do the same thing in Laravel 5.5. Handling authentication has moved to Illuminate\Auth\Middleware\Authenticate which throws an Illuminate\Auth\AuthenticationException.
That exception is handled in Illuminate\Foundation\Exceptions\Hander.php, but you don't want to change the original vendor files, so you can overwrite it with your own project files by adding it to App\Exceptions\Handler.php.
To do this, add the following to the top of the Handler class in App\Exceptions\Handler.php:
use Illuminate\Auth\AuthenticationException;
And then add the following method, editing as necessary:
/**
* Convert an authentication exception into an unauthenticated response.
*
* #param \Illuminate\Http\Request $request
* #param \Illuminate\Auth\AuthenticationException $exception
* #return \Illuminate\Http\Response
*/
protected function unauthenticated($request, AuthenticationException $exception)
{
if ($request->expectsJson()) {
return response()->json(['error' => 'Unauthenticated.'], 401);
}
return redirect()->guest('login'); //<----- Change this
}
Just change return redirect()->guest('login'); to return redirect()->guest(route('auth.login')); or anything else.
I wanted to write this down because it took me more than 5 minutes to figure it out. Please drop me a line if you happened to find this in the docs because I couldn't.
Just to extend #ultimate's answer:
You need to modify App\Http\Middleware\Authenticate::handle() method and change auth/login to /login.
Than you need to add $loginPath property to your \App\Http\Controllers\Auth\AuthController class. Why? See Laravel source.
In result you'll have this in your middleware:
namespace App\Http\Middleware;
class Authenticate {
/**
* Handle an incoming request.
*
* #param \Illuminate\Http\Request $request
* #param \Closure $next
* #return mixed
*/
public function handle($request, Closure $next)
{
if ($this->auth->guest())
{
if ($request->ajax())
{
return response('Unauthorized.', 401);
}
else
{
return redirect()->guest('/login'); // <--- note this
}
}
return $next($request);
}
}
And this in your AuthController:
namespace App\Http\Controllers\Auth;
class AuthController extends Controller
{
protected $loginPath = '/login'; // <--- note this
// ... other properties, constructor, traits, etc
}
This is Laravel 5.4 Solution:
There is a new unauthenticated() method in app/Exceptions/Handler.php which handles unauthenticated users and redirects to login path.
So change
return redirect()->guest('login');
to
return redirect()->guest('auth/login');
Authentication checks are made using middleware in Laravel 5.
And the middleware for auth is App\Http\Middleware\Authenticate.
So, you can change it in handle method of the middleware.
In Laravel 5.6, go to app/Exceptions folder and open the Handler.php, add a new method that overrides the unauthenticated method like so:
protected function unauthenticated($request, AuthenticationException $exception)
{
if($request->ajax())
{
return response([
"message" => "Unauthenticated.",
"data" => [],
],401);
}
return redirect()->to('/');
}
This method is triggered when you access a protected route using the built-in "auth" middleware. Now you will have full control where to redirect or the response sent.
EDIT: On Laravel 5.1, simply add protected $redirectPath = '/url/you/want'; to AuthController would do the trick.
REFER : http://laravel.com/docs/5.1/authentication#included-authenticating
On Laravel 5.1, it is completely moved to another middleware named RedirectIfAuthenticated.php under App\Http\Middleware
public function handle($request, Closure $next)
{
if ($this->auth->check()) {
return redirect('/'); //change this part to anywhere you wish to be redirected to
}
return $next($request);
}
Hope it helps.
could you please outputs php artisan route:list please
You are right you can set the following attributes:
protected $loginPath = 'xxx';
protected $redirectPath = 'xxx';
protected $redirectAfterLogout = 'xxx';
Set this attribute to you AuthController.php
Since your other question was marked as duplicate..I will try to answer it here..
First you need to change your route like
<?php
Route::get(config('constants.cms_path') . '/login', [
'as' => 'login',
'uses' => 'Auth\AuthController#getLogin'
]);
In your blade..make sure you use named route in the Login url link like
{{ route('login') }}
In Middleware/Authenticate.php change the redirect guest to
return redirect()->guest(config('constants.cms_path') . '/login');
To change the redirection after the login, you only have to go to app/Http/Controllers/Auth/LoginController.php and add that inside the class LoginController:
protected $redirectTo = '/redirect-url-here';
Same for redirection after a new users register, but in that case, on AuthController.php
For Laravel 5.4 You can set protected $redirectTo = '/'; in LoginController.php FILE.
Or in RegistersUsers.php file you can
protected function registered(Request $request, $user)
{
return redirect('tosomeRoute');
//Note: This code will run when
//The user has been registered
}

Categories