Skip to content

Protect Routes

Jump to bottom Edit New page
Kodeine edited this page Feb 23, 2015 · 11 revisions

Protecting Routes using middleware

Protecting routes is easy using middleware.

Params definitions.

  • validate if user has a role, ['is' => 'administrator']

  • validate if user has permissions, ['can' => 'view.admin, update.user']

  • protect controller methods, ['protect_alias' => 'user'], will use permission alias of user and will protect crud methods depending on the permissions of that alias.

    For example, if user has permission to view but not update. It will allow HTTP GET method but not PUT. if you need to provide your own controller methods to protect you have to define them as an array.

    

    • 



['protect_alias'  => 'user',
'protect_methods' => [
'create' => ['someMethod', 'anotherMethod'],
'read'   => ['readMethod', 'showMethod'],
'view'   => ['readMethod', 'showMethod'], // its same as read.
'update' => ['editMethod'],
'delete' => ['destroyMethod']
]];



#### Protect route group

Protecting routes are easy. Following checks if user has an `administrator` role.

```php
Route::group(['prefix' => 'user', 
              'middleware' => ['auth', 'acl'],
              'is' => 'administrator'], function () {
    Route::resource('user', 'UsersController');
});



Or check if user has an administrator role and has permissions create.user, delete.user


Route::group(['prefix' => 'user', 
              'middleware' => ['auth', 'acl'],
              'is' => 'administrator',
              'can' => 'create.user, delete.user'], function () {
    Route::resource('user', 'UsersController');
});


Or protect crud methods by user permission alias. Crud methods are determined by HTTP GET, PUT, POST, DELETE methods, unless you define your own methods in protect_methods.




Note: protect_alias and can methods cannot be used in conjunction.




Route::group(['prefix' => 'user', 
              'middleware' => ['auth', 'acl'],
              'is' => 'administrator',
              'protect_alias' => 'user'], function () {
    Route::resource('user', 'UsersController');
});


Protect route


Protecting  a single route is as easy as setting a group route. Simply use the same permission params.


Route::get('/dashboard', [
    'uses'        => 'DashboardController@index',
    'middleware'   => ['auth', 'acl'],
    'is'           => 'administrator',
    'can'          => 'view.dashboard');


              


              

                
                   Add a custom footer
              

          



  
          

            

              

                

                  

                      
                        
                      
                    

                  

                

              


            
Clone this wiki locally