Laravel-permission: How to apply authorization on resource routes using spatie permissions

Created on 19 Jul 2018 · 9Comments · Source: spatie/laravel-permission

To add another level of security, I was trying to apply authorization on routes.

what I did yet.
My Client Policy:
public function view(User $user, Client $client) { return $user->hasPermissionTo('clients.view'); } and similar for edit, create and delete.

In web.php:
Route::resource('clients', 'ClientController')->except(['show'])->middleware('can:clients.view, clients.create, clients.update, clients.delete');
it seems that I was giving all permissions to every users.

Do anyone has any idea that how I should implement spatie permissions to resource routes for authorization?
thank you

question

Source

Satendra-SR

👍2

Most helpful comment

Fixed - this did it!

$this->middleware('permission:view-users')->only('index', 'show');

woottonn on 16 Dec 2019

👍2

All 9 comments

I would think the best way for this is to use Laravel Policies.
Here's an example:
https://github.com/drbyte/spatie-permissions-demo/commit/fbb35a3589f57453a37c99dab2a265e97e3bb301

drbyte on 28 Jul 2018

👍1

You may want to use authorizeResource in your controller constructor -- example in https://josephsilber.com/posts/2016/08/03/authorization-improvements-in-laravel-5-3

drbyte on 1 Aug 2018

Thanks, @drbyte. I have already usedauthorizeResource in my controller. but I want one more level of security. for that, I was trying to implement authorization in route and want to make sure that the unauthorized person will not able to even enter into the controller.

Satendra-SR on 5 Aug 2018

You said you used:
->middleware('can:clients.view, clients.create, clients.update, clients.delete')
Did you try:
->middleware('permission:clients.view|clients.create|clients.update|clients.delete')

drbyte on 5 Aug 2018

😕2 👎1 👍1

To expand on this - I am struggling with route resources.

If I do this it works great:::: Route::get('users', 'UsersController@index')->middleware('permission:view-users');

However, I have a resource in my web routes like so: Route::resource('users', 'UsersController');

What is the best way to authorise within the controller?

Edit: I believe I have sussed it...

public function __construct() { $this->middleware('permission:view-users', ['only' => ['index, show']]); $this->middleware('permission:add-users', ['only' => ['create','store']]); $this->middleware('permission:edit-users', ['only' => ['edit','update']]); $this->middleware('permission:delete-users', ['only' => ['destroy']]); }

woottonn on 13 Dec 2019

Turns out this didn't work...

public function __construct() {
           $this->middleware('permission:view-users', ['only' => ['index, show']]);
}

I am unsure why.

@can works perfectly in blade templates.
Route::get('users', 'UsersController@index')->middleware('permission:view-users'); works fine in the web routes file.

woottonn on 16 Dec 2019

Fixed - this did it!

$this->middleware('permission:view-users')->only('index', 'show');

woottonn on 16 Dec 2019

👍2

Did anyone find a way to use this in routes file ?

bhagchandani on 3 Jun 2020

Fixed - this did it!

$this->middleware('permission:view-users')->only('index', 'show');

Thanks buddy it worked. In my controller I used this technique like this:

$this->middleware('auth');
        $this->middleware('permission:list-post')->only('index');
        $this->middleware('permission:create-post')->only('create');
        $this->middleware('permission:view-post')->only('view');
        $this->middleware('permission:edit-post')->only('edit');
        $this->middleware('permission:delete-post')->only('destroy');