How to check user Permissions using Custom Middleware in Laravel

Question

I'm developing a Laravel ACL System. My base Table's are users,roles,permissions and pivot tables are role_user,role_permission,user_permission.

I want to check User Permissions using my custom middleware HasPermission. I have tried this way but it's not working properly. every user can access the all the permissions which have or have not.

Now, How can I solve the issue. Please see my code sample.

My Controller.

function __construct()
{
    $this->middleware('auth');
    $this->middleware('HasPermission:Role_Read|Role_Update|Role_Delete');
}

My Middleware.

class HasPermission
{

public function handle($request, Closure $next,$permissions)
{

    $permissions_array = explode('|', $permissions);
    // $user = $this->auth->user();
    foreach($permissions_array as $permission){
        if(!$request->user()->hasPermission($permission)){
            return $next($request);
        }
    }

    return redirect()->back();

 }
}

and, my User Model method.

public function user_permissions()
{
    return $this->belongsToMany(Permission::class,'user_permission');
}

public function hasPermission(string $permission)
{
    if($this->user_permissions()->where('name', $permission)->first())
    {
        return true;
    }
    else
    {
        return false;
    }

}

Answer 1

Best way to do is that you need to introduce an new service provider and in that you can check the authorization and permissions.

I made a test project (last year) for db driven permission and I used service provider.

That's the perfect way to implement.

Answer 2

Basically !$request->user()->hasPermission($permission) is saying if the user associated with the request does not have this permission the middleware passes, however this is not what you want. Here's what you should do:

If you need the user to have one of the stated permissions you need to do:

class HasPermission
{

    public function handle($request, Closure $next,$permissions)
    {

        $permissions_array = explode('|', $permissions);
        foreach($permissions_array as $permission){
            if ($request->user()->hasPermission($permission)){
                return $next($request);
            }
        }    
       return redirect()->back();    
    }
}

If you want the user to have all stated permissions you need to do:

class HasPermission
{

    public function handle($request, Closure $next,$permissions)
    {

        $permissions_array = explode('|', $permissions);
        foreach($permissions_array as $permission){
            if (!$request->user()->hasPermission($permission)){
                return redirect()->back();                        
            }
        }    
        return $next($request);
    }
}

As an added note if you want to do this in a more elegant way you can do:

class HasPermission
{

    public function handle($request, Closure $next, ...$permissions_array)
    {    
       //Function body from above without the explode part
    }
}

And

function __construct()
{
   $this->middleware('auth');
   $this->middleware('HasPermission:Role_Read,Role_Update,Role_Delete');
}

If you use commas then the framework will split the string into arguments for you .

Answer 3

In my case i just added simple function to get permissions from database and then check it Middleware. Check this code:

// Add new function to get permissions from database

public static function user_permissions($user) {

$permissions=DB::table('permissions')->where('user_id', $user)->first();
return $permissions; 

}

// In Middleware check your permissions

   if(Auth::guest())
    {
        return redirect('/');
    }

elseif(Functions::user_permissions(Auth::user()->id)->user_managment != 1) {

 return redirect('/');

} else {
    return $next($request);
}

Answer 4

In web.php/api.php:

Route::middleware('hasPermission')->group(function() { // for all routes
    Route::get('/article', [ArticleController::class, 'index'])->name('article.index');
});

in middleWare:

class HasPermission
{

    public function handle($request, Closure $next)
    {
        $routeName = Request::route()->getName();
        $permission = $user->permissions()->where('route_name', $routeName)->first();
        if ( ! empty($permission)){
            return redirect()->back();                        
        }
        return $next($request);
    }
}