How to Restrict Block Users from Logging In: Implementing User Status Checks in Laravel 11
Discover how to enhance Laravel 11 security by implementing a system to block banned users from logging in. This guide covers adding user status checks, creating middleware, and using customized 403 error messages for clear, secure feedback on account status. Ideal for robust access control.
Discover how to enhance security in Laravel 11 by implementing a system to block banned users from logging in. This guide covers adding user status checks, creating middleware, and using customized 403 error messages to provide clear, secure user feedback on account status. Perfect for maintaining robust access control.
Step 1: Update the Users Table
First, you'll add a new column to the users table to track the user's status. Use the following commands to create and modify the migration:
php artisan make:migration add_status_to_users_table --table=users
In the generated migration file, add the status column in the up() function:
Schema::table('users', function (Blueprint $table) {
$table->tinyInteger('status')->default(1); // Use tinyInteger for smaller data size
});
Then, run the migration:
php artisan migrate
In your User model (app/Models/User.php), make sure to add status to the fillable properties to allow mass assignment:
protected $fillable = [
'name',
'email',
'password',
'status',
];
Step 2: Create a Middleware for Checking Blocked Status
Create a new middleware that will intercept requests and check if the user is blocked:
php artisan make:middleware CheckBlocked
In the middleware (app/Http/Middleware/CheckBlocked.php), update the handle method to check the user's status:
public function handle(Request $request, Closure $next)
{
if (auth()->check() && auth()->user()->status == 0) {
auth()->logout();
$request->session()->invalidate();
$request->session()->regenerateToken();
abort(403, 'Not Authorized.');
}
return $next($request);
}
Step 3: Register the Middleware
Add the new middleware to your web middleware group in app/Http/Kernel.php:
protected $middlewareGroups = [
'web' => [
// other middleware
\App\Http\Middleware\CheckBlocked::class,
],
];
Step 4: Customize and Display Error Responses
Instead of redirecting to the login page with a standard error message, you can enhance user experience and security by utilizing a customized HTTP 403 Forbidden response. Update your login view (resources/views/auth/login.blade.php) to handle this scenario more effectively.
First, modify your middleware to return a 403 response instead of redirecting. Here's how you can adjust the handle method in your CheckBanned middleware (app/Http/Middleware/CheckBlocked.php):
public function handle(Request $request, Closure $next)
{
if (auth()->check() && auth()->user()->status == 0) {
auth()->logout();
$request->session()->invalidate();
$request->session()->regenerateToken();
abort(403, 'Your account is suspended, please contact admin.');
}
return $next($request);
}
Next, in your login view, enhance the user interface to gracefully handle the 403 error by adding a specific section to display error messages more clearly. You can also provide suggestions or contact information to resolve the account status:
@error('403')
<div class="alert alert-danger">
{{ $message }}
</div>
@else
@if (session('error'))
<div class="alert alert-danger">
{{ session('error') }}
</div>
@endif
@enderror
This approach not only prevents blocked users from logging in but also aligns with web standards by using HTTP status codes appropriately. It provides a clear and direct feedback mechanism that informs the user of their account's suspension status in a secure and user-friendly manner.