Access control in Boletilandia is built on a singleDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/AndresLopezCorrales/Boletilandia/llms.txt
Use this file to discover all available pages before exploring further.
usertype string column that splits every authenticated user into exactly one of two roles: admin or user. Two custom Laravel middleware classes gate every sensitive route, while Laravel Jetstream and Fortify handle the full authentication lifecycle — registration, login, password reset, two-factor authentication, and profile management.
Roles
Boletilandia uses a simple string discriminator stored in theusers.usertype column. The column is added by the migration 2024_10_10_032435_update_users_table.php and defaults to 'user' for every newly registered account.
| Role | usertype value | Description |
|---|---|---|
| Regular user | 'user' | Can browse events, select seats, purchase tickets, and download PDF receipts. |
| Administrator | 'admin' | Can create, edit, and delete events; view sales charts; and manage all sections and seats. |
Custom Middleware
Both middleware classes live underApp\Http\Middleware and are registered as named aliases in bootstrap/app.php.
Admin Middleware
The Admin middleware checks that the currently authenticated user has usertype == 'admin'. If the check fails, it aborts with an HTTP 401 Unauthorized response.
Full source — app/Http/Middleware/Admin.php:
The
Admin middleware assumes that Auth::user() is non-null. It must always be applied after the auth:sanctum (or auth) middleware so that an authenticated user is guaranteed to exist when the role check runs.User Middleware
The User middleware mirrors the Admin middleware but checks for usertype == 'user'. If the authenticated user is an admin visiting a user-only route, the request is aborted with 401.
Full source — app/Http/Middleware/User.php:
Middleware Registration
Both middleware classes are registered as named route aliases inbootstrap/app.php using Laravel 11’s fluent application bootstrap API:
Jetstream + Fortify Authentication
Boletilandia uses Laravel Jetstream (Livewire stack) and Laravel Fortify to provide a complete authentication system without custom auth boilerplate.User Registration — CreateNewUser
New accounts are created by App\Actions\Fortify\CreateNewUser, which Fortify calls during the /register flow. It validates the input and then persists a new User:
usertype = 'user' via the column default defined in the update_users_table migration.
Password Rules
Password validation is centralised in thePasswordValidationRules trait used by CreateNewUser:
Password::default() applies Laravel’s default password policy (minimum 8 characters). The 'confirmed' rule requires a matching password_confirmation field in the registration form.
Fortify Actions
FortifyServiceProvider wires up four Fortify action classes:
| Fortify hook | Action class |
|---|---|
createUsersUsing | App\Actions\Fortify\CreateNewUser |
updateUserProfileInformationUsing | App\Actions\Fortify\UpdateUserProfileInformation |
updateUserPasswordsUsing | App\Actions\Fortify\UpdateUserPassword |
resetUserPasswordsUsing | App\Actions\Fortify\ResetUserPassword |
Fortify Features
The enabled Fortify features are configured inconfig/fortify.php. Email verification is currently disabled (commented out):
Rate Limiting
Fortify’s login and 2FA endpoints are rate-limited inFortifyServiceProvider:
login: 5 attempts per minute, keyed byusername|IPtwo-factor: 5 attempts per minute, keyed by the session’slogin.id
Two-Factor Authentication
TheUser model uses the TwoFactorAuthenticatable trait from Laravel Fortify:
users by 2024_10_07_165606_add_two_factor_columns_to_users_table.php:
| Column | Hidden from serialization | Purpose |
|---|---|---|
two_factor_secret | Yes | Encrypted TOTP secret key |
two_factor_recovery_codes | Yes | Encrypted array of backup codes |
two_factor_confirmed_at | No | Timestamp when 2FA was confirmed active |
Only
two_factor_secret and two_factor_recovery_codes are listed in the User model’s $hidden array. two_factor_confirmed_at is not hidden and will appear in JSON serialization.two_factor_confirmed_at column is added conditionally — it is only present when Fortify::confirmsTwoFactorAuthentication() returns true, which is controlled by the 'confirm' => true option in config/fortify.php.
Profile Photos
TheHasProfilePhoto trait from Jetstream is used on the User model:
users.profile_photo_path (up to 2 048 characters). The computed profile_photo_url accessor is appended to every serialized User via $appends.
Sanctum API Tokens
TheHasApiTokens trait from Laravel Sanctum is applied to the User model:
JetstreamServiceProvider configures default token permissions as ['read'] and registers the full permission set available to users:
routes/api.php returns the authenticated user and is protected by the auth:sanctum middleware: