Part 3/3 - How to use Roles and Permissions to protect routes with middleware in Laravel 10

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey guys welcome back so guys in past two videos we have seen how to create the complete spacy user rules and permission Crow operation management from scratch okay so now guys in this video we will be seeing how to use this rules and permission to manage and protect the routes in our laral application okay so let me just uh underline here so manage and protect the routes in the L application so basically protecting route means when a user is trying to access certain route which does not have permission then we will not allow the user to access that route or page okay so guys let's see with the example like if the user role is Staff he cannot delete the product but he can only create and update the product he does not have permission to delete the product okay so now guys let's get started with protecting the routes and how to use this rules and permission in our application so guys here you see right now I'm not logged in but I'm able to access this rules and permission data so guys let us make this first authenticated so for that let's get back so now Guys these are the routes which we have to protect I mean protect and also we need to check whether it is authenticated or not so guys let us get back and let me little Zoom it so first step we'll create a route group route colon colon group function inside this just create an array and give comma and write the function open and close CRA okay and now guys you can push this complete route inside this group function group route okay so now guys what we are going to do uh we are going to use a middleware here like just add ml e w middleware and give just use in this format like Arrow function and then mention that Au so okay so now guys if you're logged in only then you can access this route so let's get back and refresh now on this rules so here you see uh you are redirected to login page so guys let me log in let me just show you like I have already created some user records like super admin and normal admin so now guys let us log in as a super admin first and enter the password cool logged in now and you are able to access this rules permission and user data okay and uh and guys I just want to show that if I'm logged in or not in this Navar so it's a simple code guys I have already created that let me just go to my app web layout and here I have just commented that let me uncomment it okay so here is a normal guest and with the login and register and this is the else part of that guest now save and if you refresh here so you see that super admin has logged in okay so now let's continue let me close this file okay so yep now refresh so guys you're logged in and you are able to see all the roles and permission data so now guys let us see how we can protect the routes and who can access this roles data and the permissions data like who can create this permission who can edit and delete all the P permission based on this rules okay so right now as you see that super admin has logged in and his roles are super admin and normal admin so he is available for both the roles so let me go to this super admin role let's move inside the role and here is my role as super admin let's edit the permission for this role so here you see this super admin can do all these permissions okay now get back and let's see with the admin role so in this admin you see that admin can create the RO view the role update the role but not delete the role okay he cannot delete a role same with the permission also here he cannot update the permission or delete the permission okay so guys if you want to give option like he do he admin cannot update also so we can just update that and he will be not able to update that role so now you can get back okay so Guys these roles are given to particular user so as you see this admin can have the role of admin and staff okay so now guys let's get started with protecting the routes okay so guys let's get back to our editor so now guys in this uh middleware we have to mention like if logged in user role is super admin or admin he can access this route okay so now guys let's get back to our documentation on spacy and let's move on this basic usage we have a using a middleware here so let's click on it so guys here we see first it starts with the default middleware so what is this default middleware so larel gives authorized class to check for the permissions so basically that is like using a can here it only checks for the permission not for the rules as you see for checking against a single permission so now guys here is the package middleware which we can use this uh rules and permission or r or permission so let's copy this completely copy and we have to put in the middleware aliases in your kernel.php file so let's move and go to your app HTTP and kernel.php and insert this let's paste it that's it done and now you'll be able to access this rule permission inside your middleware that is Route group middleware okay so yep guys now let's move to the documentation and here middleware wire outs so guys here you see uh they have given some examples like you can use the rule and your rule name so let us use in this format itself now let's copy get back and here you have a single let me give an array and give comma and paste that roll okay in the single codes so coming back to our data here we don't have any manager so let me copy this super admin and paste here and guys let me just remove this because in the rules and permission the authentication is checked so yep let's get back and refresh so here you see uh you are able to access the roles part because the role the logged in user role is super admin so let me just show you in incognito mode let's go to roles and here you see like user is not logged in and let me just log in and show you with the admin credentials so admin gmail.com so I have already thought about the what role he has and for that role what permissions I have given for the admin so now let's log in okay so let's move on the rules cool so guys here you have have got the message like user does not have the right role okay so he doesn't have this particular logged in user doesn't have the role for that okay so if you try to access permissions or users anything you doesn't have a right role okay and the same thing if you are a super admin then you'll be able to access the roles okay so guys now what I want to do I want to give the permission for super admin and also admin so here you see uh we are not able to access this the rules or permissions page now I want to tell in this middleware like in this role super admin or admin so use this pipe symbol that's it and now get back refresh cool so guys here you see the logged in admin user is able to access the rules and permissions Pages because we have said that in this like super admin or normal admin can be able to access this page so he is able to access perfect okay so now guys coming back in detail like setting the permissions so let me come here and let me show you in this role super admin let me edit the role permission so if the role is super admin and he can delete the role okay so logged in user is super admin and if he wants to delete a role he will be able to delete it but what in case of normal admin role so here in this admin role we have the permission like he cannot delete or update the role okay so now guys let us set this condition in our web route so this is the route guys which goes to the destroy function to delete that particular role so now guys let us give a permission that only user who has permission to delete the role he only can delete so it's a very simple way guys just you have to add a middleware here like Middle where and inside a single codes just check for the permission okay so let me just break it so it will be like visible and let me Zoom it so here in this permission colon like delete R so exactly paste the same string value I mean the name of that rule okay so I'm using this delete rule let's copy this and paste here so guys this permission is nothing but you'll be finding in your kernel.php and this is the value guys okay so you're copying this and you are accessing here okay so now guys let me show you with the demo so yep on this uh super admin role he can delete it okay we have checked it but if the logged in user is admin role then he will not be able to delete it so guys right now I have logged in as a super admin and let me show you the here in my incognito mode I have logged in as a normal admin so now if we try to delete any role so let me click here delete and you see that user does not have the right permissions to delete this role data okay so if you are a super admin he can delete the role so let me just show you and uh dummy roll data I'll create it so here is my dummy rooll and now let me just show you with the admin once again so here I delete here like yes I don't have permission the admin doesn't have the permission to delete a role but if you're a super admin you'll be able to delete it so let me just delete and show you click to delete cool so you see that roll deleted successfully so guys I have shown you like how to protect your route using rules and permission okay so you can set each permissions for for particular routes so now guys coming back to this resource routes so here what in case of this resource route how can you add a middleware here so for this we have another solution let me just show you in the documentation so we move below and here you see middleware with controller so just use this in your construct method use your middleware so as simple now you can get back and this is my resource route and now I will comment this middleware for delete Ro and get to the rule controller so let's move and let's create a function so public function underscore uncore construct open and close calibra and now guys use dollar this of middleware function and the same permission what you have written here you can copy this and give here and now let me just show you what happens directly if you give this permission of delete rooll so yep let's get back and here you see we are on the roles page refresh it doesn't happen anything now get back to your admin logged in so refresh here you see you do not have a right permission but the permission is about the deleting part like here we have given permission who has delete role then you should only work for this delete function where is the delete function okay here so this should work for the destroy function so let's get back and now guys to achieve that you have to mention in this you have to give comma and create array and inside that you say that only to those functions okay so mention in a array and tell that is my destroy function so what it is let me move below and here is a destroy function let's copy this and paste here so now this permission delete rule will work for only this function destroy function so let's get back to the admin login here refresh so here you see it works fine now okay so now guys if you delete so it shows like you don't have right permission instead I have used that middleware permission in the construct method in your controller part okay not on your routes web route here so guys we have learned how to use this middleware in the route and also middleware in the controller so same way guys you can just copy and paste and assign for like update role for that particular update function and also on edit function okay so we have two functions now on the update function on the edit function both it should work for update role so let me just show you the permissions for this so rooll admin let's see the permission you don't have permission to update the role so let's get back and go to your role so refresh so I a admin user here and let's click on edit the role so let's click here edit so you see that you do not have permission write permission to edit and update the role okay so now we can get back so if you check this same thing about editing the role with the logged in user as super admin so which has a super admin role so now if you try to edit here cool so you see that we are able to edit the role okay so this is how we can utilize multiple functions for particular role okay and also guys if you want to check like uh rule also so with this permission I want to check the role you can just get back to your documentation and here you see like role manager and it's permission so same way you can use like super admin or admin or staff manager it depends on your requirement okay so now guys let's get back to our editor so guys now let us give the rest permissions also as we see like we have here um about create role and also view rule so who has permission they can only create and view the role so as simple let's tell create Rule and the view rule so view rule will go on the index and let's remove this and if you have a show function so you can add that show also okay so I don't have a show function here so I'll remove it and on the create R permission I will copy this create and store method so let's paste here create and store method okay so this is how you set your permissions for your resource routes so I have used this resource route cool so now guys uh let me just remove this and so now guys we have not given the permission for this routes like you can uh give permission and update the permission so let us use that same functions here so so on this create rule you can use the same functions like add permission and give permission function so let me just add that also here just give comma and mention that function Lim you can add also and you can um give function give permission to rule function okay so yep so you are completely set up with the permissions so same way guys you can copy this and and create for your permission controller also so on this permission controller let me paste it and let's remove The Unwanted functions so which you don't have in permission and here so let me paste it permission let's copy this and just crl D and paste it okay so these are the permission name so if you have any doubts just go to your permissions and find that exact name okay so you just need to copy that and paste in your permission Mission controller cool so now guys same with your user task also so let me copy this and go to the user controller so what we have created so if you don't find this role controller permission controller and user controller please watch out the video part one so you'll find everything and understand how all this created it okay so now yep let's change the permission so let me just show you what is the permission here so I have not created the user permissions so let me just add the permission like create user permission to create user okay so here you see create user permission is added let me add the view user hit enter saved let's again add with new permission here like update user and finally the delete user okay so delete user let's save done so here you see we have created the uh permissions for create user view user update user and delete user go to your rules and this super admin should be able to create the user view the user update the user and also delete the user let's update it so now the super admin role have the permission for doing this and now for the role admin let's edit and he can create the user view the user but not update and delete okay so let's update here done now get back so get to your controller on your user controller we can update it like yep view user create user update user delete user okay and these are the functions it's reaching to it so let me show show the functions also yep and done okay so all set and now guys let me just show you with the logged in user as admin so he should be able to view the user he should be able to create the user but not edit the user and not delete the user Okay cool so guys we have seen about how to handle the permissions in our controller so now guys let us go to web.php and I want to to tell you one more thing like in this middleware we are telling uh we have a role of super admin and admin so instead of using this I want to use my custom middleware so guys I have already made a video on this middleware how to create a middleware how to use the middleware in larel okay so video link is given in the description so now guys uh let me just show you the middleware what I have created let's go to app HTTP uh I think it's not visible so let me Zoom it and okay so yep let's go to app HTTP and you need to move in middleware and here we have created one admin middleware okay so here I'm just checking with the static role that is admin or user so let me just comment out and instead of using the static way let us use our rules and permissions what we are using in this web.php okay so now guys First Step uh make sure your admin middleware is registered so if you don't know how to create this middleware please watch out the video link given in the description and now guys let us check what is this admin middleware named registered with so you have to go in your kernel.php and inside that you have to find that admin middleware class so guys you see that here I have added the admin middleware class which is existing here and this key name I have given as is admin okay so now let us call Cy this is admin and get back to your web.php okay so now let me paste here and so further reference let me comment and keep and now let us just control X and remove everything and just use is admin okay so done and now guys in this is admin middleware we will give the condition like here what you have given so guys let's get back to our admin middleware and here write the logic so now guys let me create a variable called user and you have to just check whether the user authenticated data so yep so the authenticated user data is assigned here in this variable user and it has a object of data okay so now in this if condition you have to check whether it has a rule or not so has rule function so please check whether this is correct or not inside your documentation so you can just find that in the blade directives or using permissions V R so just go here using permissions v r okay and you can just use contrl F and find that perfect so here you see checking rules has rule of this and you can use in this format also like using array format for multiple so let us copy this and get back so now inside this if condition let's use it and here we have to specify what role we are expecting for so as we have given in the web.php that is super admin and admin okay so mention that here let's remove this pipe symbol and separate them okay so rule will be super admin and admin and here we see a warning guys like undefined method has rule intelence okay so it's just a simple warning guys you can fix this using like atw where it comes to the app folder then models folder and it goes to the user model okay that's it and here you see it's fixed so now guys uh whatever you get here like if the request is correct then process him to continue with it so you can just remove this it's not required so now guys let us see uh it works or not so you can just get back so yep Let me refresh okay so super admin is able to access the rules permission and let us move with the normal admin so refresh he's able to access the rules now guys I just want to make sure if I don't give the rule admin who should be able to view this so let us test that also so in this middleware is admin middleware let's go and just remove this admin role so I have just removed the admin Ro only super admin should be able to access yep let's go okay so here is a super admin refresh yep he's able to access and now here is a normal admin let's refresh he's not able to access and it still like forbidden so this is about 43 forbidden let me just show you so inside our middleware so if the authenticated user role does not have super admin he should be aborted on this 43 and just give comma guys and you can mention like user does not have correct rule okay now let's save it and you will be able to see that message okay so let me just add that role as admin and he should be also able to access the rules on permission perfect done so now guys uh let us learn bleed directives in this roles and permission so basically what bleed directive means like if the authenticated user doesn't have permission to edit or delete it so in that case I have to hide this buttons so we can use that using blade directives so let me just show you in the documentation let's go to our documentation okay and in this basic usage we have the blade directives here let's click on it okay let's move below and here you see guys that can and end can so this can is used for only permissions and if you want to use for rules also you can use like this okay if Ro is super admin then show that and also you see here has R so it is exactly same as Rule and has rule so both works the same and now guys if you want to use in any controller part or in the bade file you can also use in this way so now guys uh we are concentrating on how to use that in a bleed file let us go on the top and and we need to use this itself so let me copy this and go back to our files so let me close everything and just go to your folders of your blade files so this is my RO folder and inside this we have a index blade file let me little unzoom and yep and this is my edit and delete button so on this edit can and and here at end can okay and here mention your permission he should have the permission of update rule so make sure you are pasting it correct let me show in the permissions we have a update rule permission and paste that okay so same way guys you have to check with the delete also let me copy and paste here and mention delete Ro let's save and get back and go to your roles URL and you'll see you able to see the edit and delete button because the logged in user is super admin so now let us see with the normal admin so here I refresh on the roles page so you see that you don't find the edit and delete option for the normal admin so in case if you give the permission to edit the data so let me me just give the permission so to this rule I give a permission update rule permission so for this role admin I give update Ro let's update here okay updated now you can get back and let's move to the admin here now refresh cool so you see that now admin has the permission to edit and update the data so his buttons are visible perfect so same way guys you have to paste everywhere in your blade file wherever you are using to show for edit and update the data okay so same way just go to your permissions and inside the permission you have a edit and delete button so you can utilize that okay can update permission and end can let me copy and paste IND can and here he can delete permission so admin doesn't have the permission to delete so if you view here he doesn't have edit and update okay so same with the user part also you have to hide it so now get back let me just use the same logic in the user bled file just use this can and end can yep let's paste here and again add it so here will be user so permission I mean delete user now get back go to users Tab and this is a super admin so you have the access now if you go on the admin user so it doesn't have the action okay and guys I just want to teach you one more thing about the rule what we are seeing in this documentation let me just show you so this is the rules blade and rules so you can use this rule part also yep let's get back to the so this is my rule index blade okay roll index blade and instead of this can and N can I want to use rule okay so at rule function and inside this you can mention super hyphen admin and now end ru so yep now this is a logged in user super admin so he should be able to see the edit button now if you go to your normal admin go to the rules you see that you doesn't see that edit button because this normal admin is a admin role not the Super admin let me close this and yep so guys we have successfully completed with the laral 10 rules and permission tutorial using the spaceship package okay so guys in this video that's it thank you for watching this video please subscribe like and share

Info

Channel: Funda Of Web IT

Views: 4,059

Rating: undefined out of 5

Keywords: fundaofwebit, laravel 10 spatie roles and permission, Laravel 10 with Spatie permissions, spatie laravel permission package tutorial, laravel roles and permission tutorial step by stepm, spatie roles and permission from scratch crud in laravel, laravel 10 user role permission crud, laravel 10 roles and permission crud example, roles and permissions from scratch laravel 10, protect routes with middleware using roles and permission in laravel 10

Id: TA6S9LjXI6M

Channel Id: undefined

Length: 32min 4sec (1924 seconds)

Published: Thu Feb 08 2024