How to restrict access by role? At the level of the route and/or controller?

Hi all. Work with Laravel. Use laravel-permission. (for information)
Advise how best to restrict access?
Now restrict access to the ranting and using middleware. BUT! Often the essence of sharing to a group of ranting, for example, for simple CRUD.
Route::group(['middleware' => ['auth', 'role:author']], function () {
...
 Route::post('/posts/store', ['uses' => 'PostController@store', 'as' => 'posts.store']);
 Route::post('/posts/{post}/update', ['uses' => 'PostController@update', 'as' => 'posts.update']);
 // other ranting only for author
...
}
Route::group(['middleware' => ['auth', 'role:editor']], function () {
...
 Route::post('/posts/{post}/update', ['uses' => 'PostController@update', 'as' => 'posts.update']);
 // other ranting is just for the editor
...
}
// Because you can in the controller(DI)

public function __construct()
{
$this->middleware('auth');
$this->middleware('author');
$this->middleware('editor')->only('update');
}
// and in the router to write
Route::resource('posts', 'PostController');

Yes, I know that it is possible for each individual
Route::get('profile', 'UserController@show')->middleware('auth');

According to me, the controllers are more flexible turns. So, write your advice as best General practice)
Thank you!
June 14th 19 at 20:37
1 answer
June 14th 19 at 20:39
Solution
It all depends on your goals and architecture.

laravel-permission provides you with various tools for flexible management of access rights: in the documentation there are examples of blade, for model, controller and millerov.

In this question you need to rely on their architecture and on task. For example, there are situations where it is not advisable to middleware to check access, as for complex logic you need to get data to check (and whether the user can edit this record at this time from this IP).

So as a very large caveat depends on your architecture, for example, I use DDD and check of access rights takes place in a UseCase in the application layer, while the test not one, but several (can the user even edit the entries, and then can edit specific).

The answer to the question would be something like this:
Means laravel-permission you can restrict access by roles in the controller, however, you need to consider Your architectural approach, SOLID principles, etc.

From myself I will add, most likely you have RAD development, so much you do not bother to check where it is easier.

Find more questions by tags Designing softwareLaravelPHP