Can't protect Routes based on role Laravel 8

Question

I'm trying to use middlewares to protect Routes based on role.

Im testing with this route to allow only the role administrador to be able to enter it.

Route::get('/gestionarMedicos', [PersonaController::class,'mostrarMedicos'])->name('personaMostrarMedicos')->middleware('auth','firstLogin','role:administrador');

This is code of my middleware (in the route its the one called route)

<?php

namespace AppHttpMiddleware;

use Closure;
use IlluminateHttpRequest;

class EnsureUserHasRole
{
    /**
     * Handle an incoming request.
     *
     * @param  IlluminateHttpRequest  $request
     * @param  Closure  $next
     * @return mixed
     */
    public function handle(Request $request, Closure $next, $role)
    {

        if (! $request->user()->hasRole($role)) {
            // Redirect...
            return back();
        }
        return $next($request);


    }
}

This is the code of the User model

<?php

namespace AppModels;

use IlluminateContractsAuthMustVerifyEmail;
use IlluminateDatabaseEloquentFactoriesHasFactory;
use IlluminateFoundationAuthUser as Authenticatable;
use IlluminateNotificationsNotifiable;
use IlluminateDatabaseEloquentModel;

class User extends Authenticatable
{
    use HasFactory, Notifiable;

    /**
     * The attributes that are mass assignable.
     *
     * @var array
     */
    
    protected $fillable = [
        'role',
        'name',
        'email',
        'password',
        'idPersona',
        'estado'
    ];
    
    public function Persona(){
        return $this->belongsTo(Persona::class,'idPersona');
    }
    /**
     * The attributes that should be hidden for arrays.
     *
     * @var array
     */
    protected $hidden = [
        'remember_token'
    ];

    /**
     * The attributes that should be cast to native types.
     *
     * @var array
     */
    protected $casts = [
        'email_verified_at' => 'datetime',
    ];

    public function hasRole($role)
    {
        return User::where('role', $role)->get();
    }
}

Some logic is not done right because I can access the Route even with users that doesn't have that role

The dd() in the middleware was for testing, I get "administrador" with it.

I have tried Patrick Obafemi solution but I still have the same problem.

For testing I did a dd of what the if based on Patrcik answer result is and it is false.

I'm not sure where is the logic problem.

I'm also going to post a picture of my database model if it helps in some way.

Answer 1

The question is answered in the link below.

Middleware doesn't protect routes based on role

It also covers how to protect routes in the case you need to do it for multiple roles. The condition is wrong because it gives a collection of the users that have the role administrador. The condition should be like this to only allow a desired role to access the Route

if (!$request->user() || $request->user()->role != $role) {
        // Redirect...
                       
        return back();
    }

For multiple roles you can visit the link where the answer explains how to allow multiple desired roles to access the Route.

Maybe Patrick answer is right but question was also answered here.