-
Notifications
You must be signed in to change notification settings - Fork 215
Protect Routes
Protecting routes is easy using middleware.
-
validate if user has a role,
['is' => 'administrator'] -
validate if user has permissions,
['can' => 'view.admin, update.user'] -
protect controller methods,
['protect_alias' => 'user'], will use permission alias ofuserand will protect crud methods depending on the permissions of that alias.For example, if user has permission to view but not update. It will allow HTTP GET method but not PUT. if you need to provide your own controller methods to protect you have to define them as an array.
['protect_alias' => 'user', 'protect_methods' => [ 'create' => ['someMethod', 'anotherMethod'], 'read' => ['readMethod', 'showMethod'], 'view' => ['readMethod', 'showMethod'], // its same as read. 'update' => ['editMethod'], 'delete' => ['destroyMethod'] ]];
#### Protect route group
You may protect the group route by using
```php
// check if user has an `administrator` role.
Route::group(['prefix' => 'user',
'middleware' => ['auth', 'acl'],
'is' => 'administrator'], function () {
Route::resource('user', 'UsersController');
});
Or
// check if user has an `administrator` role.
// and has permissions create.user, delete.user
Route::group(['prefix' => 'user',
'middleware' => ['auth', 'acl'],
'is' => 'administrator',
'can' => 'create.user, delete.user'], function () {
Route::resource('user', 'UsersController');
});Or protect crud methods
Note:
protect_aliasandcanmethods cannot be used in conjunction.
// check if user has an `administrator` role.
// and protects crud methods by user alias
// crud methods are determined by HTTP GET, PUT, POST, DELETE methods
// unless you define your own crud methods.
Route::group(['prefix' => 'user',
'middleware' => ['auth', 'acl'],
'is' => 'administrator',
'protect_alias' => 'user'], function () {
Route::resource('user', 'UsersController');
});