2

I'm using spatie's laravel-permission package and created roles and permissions on my application and wrote a bypass for the super-admin role, as specified on their doc, in the AuthServiceProvider. It worked like a charm, and suddenly it stopped working for no apparent reason, returning a 403 error. I already rebooted the server and cleared routes cache. I can't find the reason why this stopped working...

Here are my AuthServiceProvider and routes

AuthServiceProvider :

public function boot()
{
    $this->registerPolicies();

    // allows super-admin everywhere in the app
    Gate::before(function (User $user) {
        return $user->hasRole('super-admin') ? true : null;
    });
}

Routes:

// admin only management
Route::group(['prefix' => 'admin', 'middleware' => ['role:writer']], function () {

    //admin dashboard
    Route::get('/dashboard', [AdminController::class, 'index'])->name('admin.dashboard');

    // blog management
    Route::get('articles', [AdminArticles::class, 'index'])->name('admin.articles.index');
    Route::get('articles/create', [AdminArticles::class, 'create'])->name('admin.articles.create');
    Route::get('articles/my-articles', [AdminArticles::class, 'myArticles'])->name('admin.articles.myArticles');
    Route::get('articles/{article}/edit', [AdminArticles::class, 'edit'])->name('admin.articles.edit');
    Route::get('articles/{article}/delete', [AdminArticles::class, 'destroy'])->name('admin.articles.destroy');
    Route::put('articles/{article}', [AdminArticles::class, 'update'])->name('admin.articles.update');
    Route::post('articles', [AdminArticles::class, 'store'])->name('admin.articles.store');
});

Route::group(['prefix' => 'admin', 'middleware' => ['role:super-admin']], function() {
    //pages
    Route::get('/homepage', [HomepageController::class, 'create'])->name('admin.home.create');
    Route::get('/homepage/{homepage}/edit', [HomepageController::class, 'edit'])->name('admin.home.edit');
    Route::put('/homepage/{homepage}', [HomepageController::class, 'update'])->name('admin.home.update');
    Route::post('/homepage', [HomepageController::class, 'store'])->name('admin.home.store');

    //users
    Route::get('users', [UsersController::class, 'index'])->name('users.index');
    Route::get('users/json', [UsersController::class, 'usersJson'])->name('users.json');
    Route::get('users/create', [UsersController::class, 'create'])->name('users.create');
    Route::get('users/{user}/delete', [UsersController::class, 'destroy'])->name('users.destroy');
    Route::get('users/{user}/edit', [UsersController::class, 'edit'])->name('users.edit');
    Route::put('users/{user}', [UsersController::class, 'update'])->name('users.update');
    Route::post('users', [UsersController::class, 'store'])->name('users.store');
});
apokryfos
  • 38,771
  • 9
  • 70
  • 114
ABCrafty
  • 278
  • 1
  • 3
  • 16
  • are you getting error? you said that it stopped working but what happens when you try to access any route which requires superadmin role? please explain it. otherwise I would prefer to remove Gate method from AuthServiceProvider and make your own middleware that checks user's role and if the role is superadmin only then he can access the routes – Shailendra Mar 29 '21 at 18:09
  • 1
    When I access a route with super-admin role I get to it as usual, but when I access a route with writer role I get a 403 error, not authorized. Maybe I should make a middleware indeed, but it's too bad, the Gate should work... I could also just add super-admin access in each of my routes, but this loses the concept of the bypass and the role needs to be specified as any other role. – ABCrafty Mar 29 '21 at 23:16
  • Were you able to solve the problem? I am having the same issue though mine happened after I refactored my code and change the models' namespaces – Adesina Azeez Jan 10 '22 at 13:10

1 Answers1

0

It seems like the Gate only checks if you are giving permissions through "permissions" not through "roles" as is your case.

What I mean is that if you were using:

// admin only management
Route::group(['prefix' => 'admin', 'middleware' => ['permission:write']], function () {

instead of

// admin only management
Route::group(['prefix' => 'admin', 'middleware' => ['role:writer']], function () {

It would work.

Carlos Crespo Moreno
  • 33
  • 4