TASKS 15: User Roles & Access Control Implementation Report - RadLeoOFC/laravel-admin-panel GitHub Wiki
User Roles & Access Control Implementation Report
Objective
The goal of this task was to differentiate between Admin users, who have full control over desks, memberships, and payments, and Regular users, who can only book desks and manage their own memberships. To achieve this, the following steps were implemented:
- Role-based access control (RBAC) was introduced by adding a role column to the users table.
- Authorization logic was enforced in
DeskControllerandMembershipControllerto restrict modifications to admins. - Middleware (
AdminMiddleware) was created to ensure only admins can access protected routes. - Access restrictions were applied to ensure regular users can only modify their own memberships.
- Security enhancements were implemented to protect reports from unauthorized access.
Implementation Details
1. Adding Role Column to Users Table
A migration was created to add the role column to the users table with a default value of 'user'. This ensures that new users are assigned a regular user role by default.
Schema::table('users', function (Blueprint $table) {
$table->string('role')->default('user')
});
Screenshot: Users table in the database with the new role column
2. Creating AdminMiddleware
A new middleware was created to restrict access to admin-only routes.
public function handle(Request $request, Closure $next): Response
{
if (!auth()->check() || auth()->user()->role !== 'admin') {
abort(403, 'Access denied');
}
return $next($request);
}
Screenshot: AdminMiddleware.php with access restriction logic
The middleware was registered in bootstrap/app.php:
->withMiddleware(function (Middleware $middleware) {
$middleware->alias([
'admin' => \App\Http\Middleware\AdminMiddleware::class,
]);
})
Screenshot: bootstrap/app.php with middleware registration
3. Applying Middleware to Routes
In routes/web.php, admin-only routes were protected:
Route::middleware('admin')->group(function () {
// Additional membership-related route
Route::post('/memberships/{id}/update-payment', [MembershipController::class, 'updatePaymentStatus'])->name('memberships.updatePayment');
// Added route for reports
Route::get('/reports', [ReportController::class, 'index'])->name('reports.index');
});
Screenshot: routes/web.php with admin-only route restrictions
4. Restricting User Actions in Controllers
The DeskController and MembershipController were updated to ensure that only admins can create, update, or delete records.
4.1. DeskController Protection
public function __construct()
{
$this->middleware('admin')->only(['create', 'store', 'edit', 'update', 'destroy']);
}
Screenshot: DeskController.php with admin-only restrictions
4.2. MembershipController Protection
Regular users can only manage their own memberships, while admins have full control.
class MembershipController extends Controller
{
/**
* MembershipController manages user memberships.
* This constructor ensures that only admin users can manage all memberships.
*/
public function __construct()
{
// Only admin users can update payment statuses
$this->middleware('admin')->only(['updatePaymentStatus']);
}
/**
* Display a listing of the resource.
*/
public function index()
{
// Admins see all memberships, users see only their own
$query = Membership::with(['user', 'desk']);
if (auth()->user()->role !== 'admin') {
$query->where('user_id', auth()->id());
}
$memberships = $query->get();
return view('memberships.index', compact('memberships'));
}
Screenshot: MembershipController.php enforcing user restrictions
Testing & Results
Expected Behavior
- Regular users
- Can view desks but cannot create, edit, or delete them.
- Can view and manage their own memberships but cannot edit/delete others' memberships.
- Can extend their own memberships but cannot extend others'.
- Cannot access reports (403 Forbidden).
Admins
- Have full control over desks, memberships, and reports.
- Can extend, modify, or delete any membership.
Screenshot: Regular user attempting to access admin features (403 Forbidden)
.jpg?raw=true)
Screenshot: Regular user successfully extending their own membership
Screenshot: Admin successfully managing all desks and memberships
Conclusion
Successfully implemented role-based access control (RBAC) for desks, memberships, and reports.
- Regular users can only view desks and manage their own memberships.
- Only admins can create, update, or delete desks and memberships.
- The reports page is now restricted to admins.
- All security measures were tested and confirmed to work as expected.
Final Screenshot: Push to GitHub with commit message
