Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
183 views
in Technique[技术] by (71.8m points)

Can't protect Routes based on role Laravel 8

I'm trying to use middlewares to protect Routes based on role.

Im testing with this route to allow only the role administrador to be able to enter it.

Route::get('/gestionarMedicos', [PersonaController::class,'mostrarMedicos'])->name('personaMostrarMedicos')->middleware('auth','firstLogin','role:administrador');

This is code of my middleware (in the route its the one called route)

<?php

namespace AppHttpMiddleware;

use Closure;
use IlluminateHttpRequest;

class EnsureUserHasRole
{
    /**
     * Handle an incoming request.
     *
     * @param  IlluminateHttpRequest  $request
     * @param  Closure  $next
     * @return mixed
     */
    public function handle(Request $request, Closure $next, $role)
    {

        if (! $request->user()->hasRole($role)) {
            // Redirect...
            return back();
        }
        return $next($request);


    }
}

This is the code of the User model

<?php

namespace AppModels;

use IlluminateContractsAuthMustVerifyEmail;
use IlluminateDatabaseEloquentFactoriesHasFactory;
use IlluminateFoundationAuthUser as Authenticatable;
use IlluminateNotificationsNotifiable;
use IlluminateDatabaseEloquentModel;

class User extends Authenticatable
{
    use HasFactory, Notifiable;

    /**
     * The attributes that are mass assignable.
     *
     * @var array
     */
    
    protected $fillable = [
        'role',
        'name',
        'email',
        'password',
        'idPersona',
        'estado'
    ];
    
    public function Persona(){
        return $this->belongsTo(Persona::class,'idPersona');
    }
    /**
     * The attributes that should be hidden for arrays.
     *
     * @var array
     */
    protected $hidden = [
        'remember_token'
    ];

    /**
     * The attributes that should be cast to native types.
     *
     * @var array
     */
    protected $casts = [
        'email_verified_at' => 'datetime',
    ];

    public function hasRole($role)
    {
        return User::where('role', $role)->get();
    }
}

Some logic is not done right because I can access the Route even with users that doesn't have that role

The dd() in the middleware was for testing, I get "administrador" with it.

I have tried Patrick Obafemi solution but I still have the same problem.

For testing I did a dd of what the if based on Patrcik answer result is and it is false.

I'm not sure where is the logic problem.

Value of condition false

I'm also going to post a picture of my database model if it helps in some way.

Database model

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

The question is answered in the link below.

Middleware doesn't protect routes based on role

It also covers how to protect routes in the case you need to do it for multiple roles. The condition is wrong because it gives a collection of the users that have the role administrador. The condition should be like this to only allow a desired role to access the Route

if (!$request->user() || $request->user()->role != $role) {
        // Redirect...
                       
        return back();
    }

For multiple roles you can visit the link where the answer explains how to allow multiple desired roles to access the Route.

Maybe Patrick answer is right but question was also answered here.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...