middleware (User roles) in laravel 5.2

5

I am in the development of a human resources system, for which I am using laravel in version 5.2. but I am in a dilemma when using middleware , so far I have 3 types of roles, the Administrator , Adminstrative and finally the Teacher that these are my user roles.

Kernel.php

 protected $routeMiddleware = [
    'auth' => \App\Http\Middleware\Authenticate::class,
    'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class,
    'can' => \Illuminate\Foundation\Http\Middleware\Authorize::class,
    'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class,
    'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
    'super' => \App\Http\Middleware\Super::class,
    'docentes' => \App\Http\Middleware\docentes::class,
    'administrativo' => \App\Http\Middleware\Administrativo::class,
];

Here I show my created middlewares

Authenticate.php

<?php

namespace App\Http\Middleware;

use Closure;
use Illuminate\Support\Facades\Auth;

class Authenticate
{
    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @param  string|null  $guard
     * @return mixed
     */
    public function handle($request, Closure $next, $guard = null)
    {
        if (Auth::guard($guard)->guest()) {
            if ($request->ajax() || $request->wantsJson()) {
                return response('Unauthorized.', 401);
            }
        //verificamos que tipo de usuario es si es docente mande al login de docente
        if ($guard == 'docente'){
            return redirect()->guest('docente/login');
        }
        return redirect()->guest('login');

        }

        return $next($request);
    }
}

Note Here I manage two types of login

Administrative.php

<?php

namespace App\Http\Middleware;

use Closure;
use Illuminate\Support\Facades\Auth;

class Administrativo
{
    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @return mixed
     */
    public function handle($request, Closure $next)
    {
        if (Auth::User()->tipo == 2) {
            return $next($request);
        }else{
            return abort(403);
        }
    }
}

I do not put the other middlewares because they have the same structure, it only changes in the tipo part.

My problem lies in creating the route groups and assigning them url, when the url is repeated in another routegroup but with different middleware, I get the error 403.

routes.php

Route::group(['middleware' => ['auth','super']], function () {
    Route::get('modules/personal/','[email protected]');
}

Route::group(['middleware' => ['auth','administrativo']], function (){
    Route::get('modules/personal/','[email protected]');
});

When I do this and I enter as adminstrativo the route works for me, but when I enter as a super user, it sends me the denied access.

So how would the correct way to add permissions on the system be using middleware?

I'm a little new in laravel thank you for your attention.

    
asked by Miguel Osorio 05.12.2016 в 15:57
source

2 answers

6

If you were using Laravel 5.3 you could authorize actions using Policies in the middleware:

use App\Post;

Route::put('/post/{post}', function (Post $post) {
    // The current user may update the post...
})->middleware('can:update,post');

link

I do not know if this is possible in 5.2, in case it is not possible, it will always be best to follow the authorization options offered by Laravel, defining skills, and if your application warrants it, Policies, which may be a bit complex at the beginning, but it will allow you to have a better separation of your logic.

link

If you definitely want to verify access to the routes through middleware, I would check the permissions in a single middleware, because what you are doing now is to define the route twice and you are calling both middleware, plus to make it more difficult to maintain the routes, which should be defined only once.

Your roles and priorities or hierarchy should be defined before using the middleware, which would make a scheme similar to the skills and policies explained above, but with a much poorer, less understandable and more difficult approach. keep.

    
answered by 05.12.2016 / 16:58
source
0

As far as I can see, you are only validating a single profile type == 2, that is, the others can not access, you can also block the controllers from the public function __construct () {   $ this-> middleware ('administrative'); }

    
answered by 17.12.2016 в 07:57