Using a middleware | laravel-permission | Spatie SPATIE Laravel Permission ===================== spatie.be/open-source [Docs](https://spatie.be/docs) [Laravel-permission](https://spatie.be/docs/laravel-permission/v5) Basic-usage Using a middleware Version v7 v6 v5 v4 v3 Other versions for crawler [v7](https://spatie.be/docs/laravel-permission/v7) [v6](https://spatie.be/docs/laravel-permission/v6) [v5](https://spatie.be/docs/laravel-permission/v5) [v4](https://spatie.be/docs/laravel-permission/v4) [v3](https://spatie.be/docs/laravel-permission/v3) - [ Introduction ](https://spatie.be/docs/laravel-permission/v5/introduction) - [ Support us ](https://spatie.be/docs/laravel-permission/v5/support-us) - [ Prerequisites ](https://spatie.be/docs/laravel-permission/v5/prerequisites) - [ Installation in Laravel ](https://spatie.be/docs/laravel-permission/v5/installation-laravel) - [ Installation in Lumen ](https://spatie.be/docs/laravel-permission/v5/installation-lumen) - [ Upgrading ](https://spatie.be/docs/laravel-permission/v5/upgrading) - [ Questions and issues ](https://spatie.be/docs/laravel-permission/v5/questions-issues) - [ Changelog ](https://spatie.be/docs/laravel-permission/v5/changelog) - [ About us ](https://spatie.be/docs/laravel-permission/v5/about-us) Basic Usage ----------- - [ Basic Usage ](https://spatie.be/docs/laravel-permission/v5/basic-usage/basic-usage) - [ Direct Permissions ](https://spatie.be/docs/laravel-permission/v5/basic-usage/direct-permissions) - [ Using Permissions via Roles ](https://spatie.be/docs/laravel-permission/v5/basic-usage/role-permissions) - [ Enums ](https://spatie.be/docs/laravel-permission/v5/basic-usage/enums) - [ Teams permissions ](https://spatie.be/docs/laravel-permission/v5/basic-usage/teams-permissions) - [ Wildcard permissions ](https://spatie.be/docs/laravel-permission/v5/basic-usage/wildcard-permissions) - [ Blade directives ](https://spatie.be/docs/laravel-permission/v5/basic-usage/blade-directives) - [ Using a middleware ](https://spatie.be/docs/laravel-permission/v5/basic-usage/middleware) - [ Defining a Super-Admin ](https://spatie.be/docs/laravel-permission/v5/basic-usage/super-admin) - [ Using multiple guards ](https://spatie.be/docs/laravel-permission/v5/basic-usage/multiple-guards) - [ Using artisan commands ](https://spatie.be/docs/laravel-permission/v5/basic-usage/artisan) - [ Example App ](https://spatie.be/docs/laravel-permission/v5/basic-usage/new-app) Best Practices -------------- - [ Roles vs Permissions ](https://spatie.be/docs/laravel-permission/v5/best-practices/roles-vs-permissions) - [ Model Policies ](https://spatie.be/docs/laravel-permission/v5/best-practices/using-policies) - [ Performance Tips ](https://spatie.be/docs/laravel-permission/v5/best-practices/performance) Advanced usage -------------- - [ Testing ](https://spatie.be/docs/laravel-permission/v5/advanced-usage/testing) - [ Database Seeding ](https://spatie.be/docs/laravel-permission/v5/advanced-usage/seeding) - [ Exceptions ](https://spatie.be/docs/laravel-permission/v5/advanced-usage/exceptions) - [ Extending ](https://spatie.be/docs/laravel-permission/v5/advanced-usage/extending) - [ Cache ](https://spatie.be/docs/laravel-permission/v5/advanced-usage/cache) - [ Custom Permission Check ](https://spatie.be/docs/laravel-permission/v5/advanced-usage/custom-permission-check) - [ UUID ](https://spatie.be/docs/laravel-permission/v5/advanced-usage/uuid) - [ PhpStorm Interaction ](https://spatie.be/docs/laravel-permission/v5/advanced-usage/phpstorm) - [ Other ](https://spatie.be/docs/laravel-permission/v5/advanced-usage/other) - [ Timestamps ](https://spatie.be/docs/laravel-permission/v5/advanced-usage/timestamps) - [ UI Options ](https://spatie.be/docs/laravel-permission/v5/advanced-usage/ui-options) You are viewing the documentation for **an older version** of this package. You can check the version you are using with the following command: ` composer show spatie/laravel-permission ` Using a middleware ================== ### On this page 1. [ Default Middleware ](#content-default-middleware) 2. [ Package Middleware ](#content-package-middleware) 3. [ Middleware via Routes ](#content-middleware-via-routes) 4. [ Middleware with Controllers ](#content-middleware-with-controllers) Default Middleware -------------------------------------------------------------------------------------------------------------- For checking against a single permission (see Best Practices) using `can`, you can use the built-in Laravel middleware provided by `\Illuminate\Auth\Middleware\Authorize::class` like this: ``` Route::group(['middleware' => ['can:publish articles']], function () { // }); ``` Package Middleware -------------------------------------------------------------------------------------------------------------- This package comes with `RoleMiddleware`, `PermissionMiddleware` and `RoleOrPermissionMiddleware` middleware. You can add them inside your `app/Http/Kernel.php` file. Note the differences between Laravel 10 and older versions of Laravel is the name of the `protected` property: ### Laravel 9 (and older) ``` protected $routeMiddleware = [ // ... 'role' => \Spatie\Permission\Middlewares\RoleMiddleware::class, 'permission' => \Spatie\Permission\Middlewares\PermissionMiddleware::class, 'role_or_permission' => \Spatie\Permission\Middlewares\RoleOrPermissionMiddleware::class, ]; ``` ### Laravel 10 ``` protected $middlewareAliases = [ // ... 'role' => \Spatie\Permission\Middlewares\RoleMiddleware::class, 'permission' => \Spatie\Permission\Middlewares\PermissionMiddleware::class, 'role_or_permission' => \Spatie\Permission\Middlewares\RoleOrPermissionMiddleware::class, ]; ``` > See a typo? You are reading older `v5` documentation. Note that since v6 the 'Middleware' namespace is singular. Prior to v6 it was 'Middlewares'. If you are still using 'Middlewares' (plural), it is time to upgrade your app to the latest version of this package! **YOU SHOULD ALSO** set [the `$middlewarePriority` array](https://laravel.com/docs/master/middleware#sorting-middleware) to include this package's middleware before the `SubstituteBindings` middleware, else you may get *404 Not Found* responses when a *403 Not Authorized* response might be expected. Middleware via Routes ----------------------------------------------------------------------------------------------------------------------- Then you can protect your routes using middleware rules: ``` Route::group(['middleware' => ['role:super-admin']], function () { // }); Route::group(['middleware' => ['permission:publish articles']], function () { // }); Route::group(['middleware' => ['role:super-admin','permission:publish articles']], function () { // }); Route::group(['middleware' => ['role_or_permission:publish articles']], function () { // }); ``` You can specify multiple roles or permissions with a `|` (pipe) character, which is treated as `OR`: ``` Route::group(['middleware' => ['role:super-admin|writer']], function () { // }); Route::group(['middleware' => ['permission:publish articles|edit articles']], function () { // }); Route::group(['middleware' => ['role_or_permission:super-admin|edit articles']], function () { // }); ``` Middleware with Controllers ----------------------------------------------------------------------------------------------------------------------------------------- You can protect your controllers similarly, by setting desired middleware in the constructor: ``` public function __construct() { $this->middleware(['role:super-admin','permission:publish articles|edit articles']); } ``` ``` public function __construct() { $this->middleware(['role_or_permission:super-admin|edit articles']); } ``` (You can use Laravel's Model Policy feature with your controller methods. See the Model Policies section of these docs.)