A more appropriate option would be to overwrite the login method, to determine if the user can log in or not before, and not after, as you are doing in this case.
Do I think you work with version 5.2? In that version this is the code that calls the authenticated function:
/**
* Send the response after the user was authenticated.
*
* @param \Illuminate\Http\Request $request
* @param bool $throttles
* @return \Illuminate\Http\Response
*/
protected function handleUserWasAuthenticated(Request $request, $throttles)
{
if ($throttles) {
$this->clearLoginAttempts($request);
}
if (method_exists($this, 'authenticated')) {
return $this->authenticated($request, Auth::guard($this->getGuard())->user());
}
return redirect()->intended($this->redirectPath());
}
As you can see, it is executed after authentication.
Another easier option, but less recommended, and that would work with the current code would be to logout when determining that your email has not been verified:
protected function authenticated($request, $user)
{
if($user->confirmed == 1) {
if($user->hasRole('Admin')) {
return redirect()->intended('admin/index');
}
elseif ($user->hasRole('Tutor')) {
return redirect()->intended('admin/index');
}
}
else {
Auth::logout();
return redirect('/login');
}
}
Response complemented by the OP based on the comments:
I managed to block access by overwriting the login method in this way:
public function login(Request $request)
{
$this->validateLogin($request);
$validado = DB::table('users')->where('email', $request->email)->value('confirmed');
if ($validado == 1) {
if ($this->hasTooManyLoginAttempts($request)) {
$this->fireLockoutEvent($request);
return $this->sendLockoutResponse($request);
}
if ($this->attemptLogin($request)) {
return $this->sendLoginResponse($request);
}
}
else {
$this->incrementLoginAttempts($request);
return $this->sendFailedLoginResponse($request);
}
}