0

I have a Laravel application that I have integrated with Xenforo so I can use Xenforo as the main user system behind the application. All of that is working properly, but my next challenge is trying to create middleware that takes the users' Xenforo permissions and restricts access to certain pages on the Laravel application.

I have a $user variable that I am passing to all of my views, and that contains all of the necessary user data that I need. I'm curious how I would go about accessing that same $user variable within my middleware to pull out their Xenforo permissions?

I have researched passing variables through the routes which I can access in the middleware. However, I am not looking to pass an actual parameter through the url to accomplish the task.

My BaseController contains the following and passes the $user variable to all of my views.

class BaseController extends Controller
{
    public function __construct()
    {
      // Setting up the Xenforo enviornment
      $dir = __DIR__;
      require_once('../public/forum/src/XF.php');
      \XF::start($dir);
      $app = \XF::setupApp('XF\Pub\App');

      // Retrieving the user_id of the current authenticated user
      $session = $app->session();
      $user_id = $session->get('userId');

      // Looking up a users information by their user_id
      $finder = \XF::finder('XF:User');
      $user = $finder->where('user_id', $user_id)->fetchOne();

      // Passing the user to every view
      View::share('user', $user);
    }
}

Here is the middleware and how I'm trying to get it to operate. My biggest issue is trying to get access to the $user variable that I am originally passing above.

class CheckRole
{
    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @return mixed
     */
    public function handle($request, Closure $next)
    {
      // I would like to find a way to access the $user variable here
      if ($user->is_staff == true)
      {
          return $next($request);
      }
      else
      {
          //Restrict access and redirect
      }

    }
}
Improve this question

2 Answers 2

Reset to default
0

Using default Laravel users are accessible via the Auth::user() facade. The data there is filled via the Authenticate middleware.

In your case I'd suggest you use a similar strategy by implementing a middleware which logs the user in (the logic you now have in your controller) and then implement another middleware for checking roles. Beware when registering both middlewares, so the middleware which does the logging is executed first.

You could even go as far as to leverage the Auth facade yourself to manually log the user in and to store your custom user data like so.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

I should've specified above but I am not "physically" logging the user into the Laravel application. The logic I have in my controller basically just checks if they are logged in on the forum software and passes their user data via the $user variable to Laravel.
Would it be an idea to keep the forum and your application logged in status in sync? So the middleware will log in if the user is already logged in on the forum and it will also log out if the user is not logged in on the forums?
That is a good idea but I honestly haven't worked with Laravel enough to dive that deep into syncing the logged in states. I guess a better question would be, say I keep the structure the same, is there be an easier way to access my $user variable and guard a route?
-1

You can do it by put your user data to session like this in your controller.

$session->put("user_data", $user);

access it from middleware

$app->session()->get("user_data");
Improve this answer

3 Comments

A middleware is executed before a controller. So the data you write to the session in your controller will not be available in the middleware (except for the next page reload)
Yes, in the image you linked you can see a request coming in, which first hits the outer layer of the circle; the middleware. After all the middleware are done with the request, the controller is called.
Sorry I should have been clearer: a middleware can either come before a controller of after a controller see before & after middleware. In the case of OP the middleware will be used for guarding a route, which is something you want to do before a controller

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.