1

I have made a middleware for admin routes

public function handle(Request $request, Closure $next)
{
   if (!auth()->check() || !auth()->user()->is_admin) {
        abort(401);
    }

    return $next($request);
}

and I have registered it in kernel.php

protected $middlewareAliases = [
    'auth' => Authenticate::class,
    'admin' => AdminCheck::class,
];

then I added the middleware to my routes

Route::group(['middleware' => ['auth', 'admin', 'verified', 'no-cache']], function () {}

This is for my normal users

Route::group(['middleware' => ['auth', 'verified', 'no-cache']], function () {}

The problem is, when I am logged in as admin, besides seeing my admin area, I can also visit the other routes that normally logedin users see.

How can I prevent that? I mean, if I'm logged in as admin it should be so that I can't visit other routes for normal users.

Improve this question
1
  • 5
    You can create a NotAdminCheck middleware and apply to your normal users routes. Commented May 15 at 18:23

2 Answers 2

Reset to default
1

It looks like you want users and admins to be completely separate entities since they don't share the same routes. In that case, I recommend setting up two distinct guards. This way, you won't need any additional middleware - Laravel's built-in auth middleware handles it for you.

// config/auth.php
'guards' => [
    'web' => [
        'driver' => 'session',
        'provider' => 'users',
    ],
    'admin' => [
        'driver' => 'session',
        'provider' => 'admins',
    ],
],
'providers' => [
    'users' => [
        'driver' => 'eloquent',
        'model' => App\Models\User::class,
    ],
    'admins' => [
        'driver' => 'eloquent',
        'model' => App\Models\Admin::class,
    ],
],

// routes/web.php
Route::middleware(['auth'])->group(function () {
    // Routes for regular users
});

Route::prefix('admin')->middleware(['auth:admin'])->group(function () {
    // Routes for admins
});
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

To fix this, you’ll need to explicitly block admins from accessing those "normal user" routes.

✅ Here's how you can do it:

1. Create a middleware for normal users only

Let’s call it EnsureUserIsNotAdmin.

// app/Http/Middleware/EnsureUserIsNotAdmin.php

namespace App\Http\Middleware;

use Closure;
use Illuminate\Http\Request;

class EnsureUserIsNotAdmin
{
    public function handle(Request $request, Closure $next)
    {
        if (auth()->check() && auth()->user()->is_admin) {
            abort(403); // Forbidden
        }

        return $next($request);
    }
}

2. Register this middleware in Kernel.php

protected $middlewareAliases = [
    'auth' => \App\Http\Middleware\Authenticate::class,
    'admin' => \App\Http\Middleware\AdminCheck::class,
    'not-admin' => \App\Http\Middleware\EnsureUserIsNotAdmin::class,
];

3. Apply it to your "normal user" routes

Route::group(['middleware' => ['auth', 'verified', 'not-admin', 'no-cache']], function () {
    // Routes only for normal users
});

✅ What happens now?

  • Admins will only be able to access routes with the admin middleware.

  • If they try to access routes for normal users, they’ll get a 403 Forbidden error.

  • Normal users will stay unaffected.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.