Crud: How to add middleware or check permissions?

Created on 25 May 2017 · 4Comments · Source: Laravel-Backpack/CRUD

Controllers and routes are hidden in vendor folder.

How to add middleware for routes and controllers?

Example: check if user can "edit-pages"

$this->middleware('permission:edit-pages');

Source

eduardoarandah

Most helpful comment

You may also restrict all access via a middleware in __construct()

class AnuncioController extends CrudController
{

    public function __construct(){
        $this->middleware('permission:anuncio-manage');
        parent::__construct();        
    }
...
}

You need to have a middleware like this

(as recommended in https://github.com/spatie/laravel-permission)

<?php
namespace App\Http\Middleware;

use Closure;
use Auth;

class PermissionMiddleware
{
    public function handle($request, Closure $next,$permission)
    {    
        //if not logged in, deny
        if (Auth::guest()) {
            abort(403);
        } 

        //check permission        
        if (!$request->user()->can($permission)) {
           abort(403);
        }

        return $next($request);
    }
}

If you want to allow admin role to everything, add this code to AuthServiceProvider

class AuthServiceProvider extends ServiceProvider
{
  ...
    public function boot()
    {
        $this->registerPolicies();

        // Admin has all permissions:
        Gate::before(function ($user, $ability) {
            if ($user->hasRole('admin')) {
                return true;
            }
        });
    }
}

eduardoarandah on 25 May 2017

👍6

All 4 comments

You can add them in the routing section as normal.

You can add middleware in the controller as normal.

(e.g. by overriding the various methods which can be found using php routes list - search for crud).

lloy0076 on 25 May 2017

@lloy0076

thanks!
Hope this code helps other people (wouldn't hurt having this in documentation)

How to add permissions to controllers

Example: restrict "create" method in "AnuncioController"
(means ad in spanish)

Add permission in permission manager

Override create method in controller, with permission checking via Gate

(remember to add "use Gate" )

use Gate;
class AnuncioController extends CrudController
{
    public function create(){
        if(Gate::denies('anuncio-create')){
            abort(403);
        }
        return parent::create();
    }
...
}

Now you can give access to that particular function with permission manager

Functions you can override

index
create
edit
show
destroy

_Functions "store" and "update" are already available in your controller, extending "storeCrud"
and "updateCrud"_

eduardoarandah on 25 May 2017

👍5

You may also restrict all access via a middleware in __construct()

class AnuncioController extends CrudController
{

    public function __construct(){
        $this->middleware('permission:anuncio-manage');
        parent::__construct();        
    }
...
}

You need to have a middleware like this

(as recommended in https://github.com/spatie/laravel-permission)

<?php
namespace App\Http\Middleware;

use Closure;
use Auth;

class PermissionMiddleware
{
    public function handle($request, Closure $next,$permission)
    {    
        //if not logged in, deny
        if (Auth::guest()) {
            abort(403);
        } 

        //check permission        
        if (!$request->user()->can($permission)) {
           abort(403);
        }

        return $next($request);
    }
}

If you want to allow admin role to everything, add this code to AuthServiceProvider

class AuthServiceProvider extends ServiceProvider
{
  ...
    public function boot()
    {
        $this->registerPolicies();

        // Admin has all permissions:
        Gate::before(function ($user, $ability) {
            if ($user->hasRole('admin')) {
                return true;
            }
        });
    }
}

eduardoarandah on 25 May 2017

👍6

@eduardoarandah - thanks a lot for posting your solution. Will definitely help others that get stuck in the same place.

Cheers!