Authorization in Laravel routes by Groups

Couple days ago I struggled to figure out on how to enclose whole users in a group that allow me to permit or forbid any URL’s present in my web app to a specific user within either something called as groups or roles and certainly it is not as such as complicated that I had thought.
So, I looked around some methods found in the Routing static class detailed-way. This class turns into a powerful routing system for your app as long as you know how it should be working, because we use same methods normally; get, post and barely match method, but today I gonna show how to combine it with the so mentioned Middleware out there only that we do not give it a proper approach.

Keep in mind that I won’t pretend teach something tougher to get understanding or whatever, but outcome of this will help you to getting started because I’ll do my best explain it by making a basic page where it’ll require an authorization by roles.
First off, I’m going to prepare a new fresh Laravel installation within one of the folders I want, just by doing in the terminal:

$ composer create-project --prefer-dist laravel/laravel example_project

After you’ve done basic configurations such as doing chmod to the bootstrap/cache and storage folders respectively and if you want to setup whole environment, I can suggest you read this article that I’ve also written previously, then you’ll see a very simple page that it says a Laravel message when you go to directly the browser.
But today we’re going to focus on a page that later we block to any users who try to access if not belong to a specific group.

What does the Route class stand for?

We already know the Route class is a static one, it means that we can call directly its methods with no need to instantiate an object of it. So, Laravel offers this one with batteries included, besides of the traditional http verbs like get and post, we have another like put, patch, delete, options, group, and so on.
In order to show a page in the browser, normally we create a file under resources/views, named as welcome.blade.php, which it is a basic html template with css applied in there, showing the mentioned Laravel placeholder, you can edit it whatever you wish, considering if you want to put some css or javascript file under the folder public; this is also known as a view file.
But it does not work itself, we need to do some config to show this file in the web browser. We need to tell Laravel how to do that through the web.php, whose file is under routes folder and it useful to define all kind of URL for our app, it means, that the gorgeous page we’ve made previously is managed by this file.

Here we define a closure as a parameter for the get method of Route class, which inside we must call our view file without .blade.php part.
But what happen if this url we want to block to those users don’t belong to the admin group.

What does the Middleware is?

Middleware provide a convenient mechanism for filtering HTTP requests entering your application.

For example, if the user is not authenticated, the middleware will redirect the user to the login screen. However, if the user is authenticated, the middleware will allow the request to proceed further into the application.

Said in proper words directly of the Laravel documentation, a middleware is the way that we can do the humdrum process of the app, the middleware saves an state at the moment and if meets certain conditions then it keeps executing its flow of the app, otherwise middleware stops the flow, showing another thing in the screen.

How do we combine this powerful tools?

So, I’ve made a very basic implementation to avoid an user access into a restricted area, it requires that you add a group_id column into the the users table, which it’ll be the respective group that the user belong to.

Let’s create a middleware with the following command:

$ php artisan make:middleware Groups

This command will create a middleware under app/Http/Middleware folder that looks like this:

Now you need to modify it a little bit in such way that calls the Auth class and get the group of the logged user in.

You see that I’ve put a third parameter, which it is the desired group that it’ll be allowed to access the url and this one should be the same that the user has, otherwise the page won’t exist for that user.

Now in the web.php file, let’s enclose the route previously defined for this middleware. So if we see in the documentation of Laravel, there is a particular method that will allow to do this, which it is the group method, like this:

With the group method is the way that we can call a specific middleware before the proper route is called. But if we go to the browser at this point, it won’t work because it is necessary to load the respective middleware into the Kernel.php file, just adding the following string at the end of the $routeMiddleware array:

'groups' => App\Http\Middleware\Groups::class,  

Notice that after colons when I call the middleware groups is the parameter that in the other side is taken by the method.

And you’re done. This will do the trick with no problems and ease to understand, however if you run into any problems, do not hesitate in get in touch with me by leaving a comment below or following at my twitter.

It is not the best way to do this, but it is an effective way, I know there’s a library that implements a better system, which it is Entrust, but doing in this way, we can get understanding how the concept could be applied.

Leave a Reply