Hello everyone, welcome back to justlaravel.com. Here in this post, I am going to show you how to use Middleware in your laravel applications to restrict content or some specific pages based on user role. This comes very handy when you have a simple paid membership site with where users who pay for a subscription can see pages which are not visible by other users. Or if you have admin, user, super admin type of roles, then also this Middleware in laravel works well.
Access Control is an important aspect of any application dealing with user-specific content. It provides with user’s ability to access specific applications components.
The official docs on this from laravel.com site here.
So let’s get started.
Working Demo Project on Github
You can watch this video on YouTube here
You can watch this video on YouTube here
First I will create 3 user roles(admin, super admin, member) for testing our middleware functionality. I will create them by using laravel authentication scaffolding. So run the following command,
Now we have login and registration setup, I will modify the registration script to add a new field “User Type”.
If you want to have a custom authentication – sigin/signup instead on this laravel scaffolding, I have made another post, you can look at them here.
First, add a new field to the user table, add this line $table->string(‘type’); to the user table create schema.
So locate the ###_create_users_table.php file at database\migrations direcctory.
Now migrate the tables, run the following command,
Navigate to the registration blade file at, \resources\views\auth\register.blade.php and below confirm password field and add a new select field as below,
Working Demo Project on Github
Now the registration form looks like,
Middleware usage in Laravel – justlaravel.com
Now I will modify the controller to save the user type field in the database. I will add ‘type’ => $data[‘type’], to the create function at \app\Http\Controllers\Auth\RegisterController.php
Now the RegisterContoller’s create function will look like,
Also, I need to modify the model for users table. Add type to the fillable array.
Go to \app\User.php and modify the $fillable array
Now the application is all ready to register users with a specific role.
So now I will create a middleware for each of the user role. In the terminal or command prompt run the following command in the root of your app.
The above command creates a new AdminMiddleware.php file at \app\Http\Middleware\
Similarly running the following commands, you can create middlewares for SuperAdmin and Member roles.
So open the AdminMiddleware.php file, and there I keep a check on user type and if user type is not admin, will display a message that this content is restricted to the user type
Modify the handle() function as below,
Similarly for SuperAdminMiddleware,
and for MemberMiddleware,
Now all the middleware files are ready, let’s make some separate routes particular for each user type.
Working Demo Project on Github
So in \routes\web.php file, I will group all the particular middleware routes.
In the above snippet, I grouped all the admin related routes. Actually, I have written only one route(/adminOnlyPage/) but you can write as many routes as possible there. Similarly for SuperAdmin,
And for Member,
In the above route snippets, I have set up some methods in HomeController. And in the middleware, I am passing an unauthorized view page in the middleware file.
So in that view. I will display a simple message as below in the file \resources\views\unauthorized.blade.php
Middleware usage in Laravel – justlaravel.com
Working Demo Project on Github
And in HomeController, I just return to a view for each user type link.
The view for middleware page.
Middleware usage in Laravel – justlaravel.com
And finally after login, I will show 3 links of all the user types irrespective of any user logged in.
In the file \resources\views\home.blade.php
Middleware usage in Laravel – justlaravel.com
So when you click on any of the links above, if the logged in user has access to that page it shows the content or else a message shows that your are not authorized to access the page.
Project on Github
That is it about this application. Here I used a very generic example with only one route for each group to make it simple. You can extend this understanding to implement the way you want.
