Eventify’s authorization model is deliberately simple and auditable: every user has exactly one role, that role carries aDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/astrxnomo/eventify-app/llms.txt
Use this file to discover all available pages before exploring further.
label string, and a custom middleware reads that label to decide whether a request is allowed to proceed. There are no permission bit-masks, no policy classes, and no package dependencies — just two seeded roles and a single middleware check that runs on every protected route. Understanding this system is essential for knowing which parts of the application any given account can reach.
The Role Model
Roles are stored in theroles table, which is defined by the following migration:
Role Eloquent model exposes all three columns as fillable and declares a hasMany relationship back to User:
label column is the authoritative identifier used during access checks. It is always stored and compared in lowercase.
Available Roles
Two roles are seeded byRolesTableSeeder and represent the full set of roles recognized by the application:
| ID | Name | Label | Description |
|---|---|---|---|
| 1 | Administrator | admin | System Administrator |
| 2 | User | user | Regular User |
users table sets role_id to 2 as its column default, so any new account that is not explicitly assigned a role at creation will be treated as a regular user.
How the Middleware Works
TheRole middleware lives at app/Http/Middleware/Role.php. It is registered as the role key in the application’s middleware aliases and is invoked by appending role:<roles> to any route or group.
- The
$rolesparameter (e.g."admin|user") is split on|into an array of allowed labels. - The authenticated user’s
role->labelis fetched via therolerelationship and lowercased withstrtolower(). - If the lowercased label is not in the allowed array, a
403 Unauthorizedresponse is returned immediately. - If the label matches,
$next($request)passes the request through to the controller.
Because the middleware calls
$request->user()->role->label, it assumes the user is already authenticated and that their role relationship is populated. Always pair role:* with the auth middleware to guarantee both preconditions are met.Protecting Routes
Routes use->middleware('role:admin') for admin-only sections and ->middleware(['auth', 'role:admin|user']) for sections accessible by both roles. Here is how this looks in web.php:
role:admin|user check rejects any authenticated session that does not hold either recognized role. The inner role:admin check then further narrows the admin prefix so that user-role accounts receive a 403 if they attempt to reach any /dashboard/admin/* URL.
Permission Matrix
The table below summarises which dashboard routes each role can access. Routes outside thedashboard prefix (home, explore, event detail) carry no role middleware and are publicly accessible regardless of authentication state.
| Section | Route | user | admin |
|---|---|---|---|
| Dashboard home | /dashboard | ✅ | ✅ |
| My events (list) | /dashboard/events | ✅ | ✅ |
| My events (create/edit/delete) | /dashboard/events/create, edit, delete | ✅ | ✅ |
| My tickets (list) | /dashboard/tickets | ✅ | ✅ |
| My tickets (purchase) | POST /dashboard/tickets/store | ✅ | ✅ |
| Ticket PDF report | /dashboard/tickets/{id}/report | ✅ | ✅ |
| User management | /dashboard/admin/users | ❌ | ✅ |
| Category management | /dashboard/admin/categories | ❌ | ✅ |
| Status management | /dashboard/admin/status | ❌ | ✅ |
Assigning Roles
A user’s role is set by storing the appropriaterole_id foreign key on the users row. There are two places where this happens:
- Admin creates a user — the
UserController::storemethod acceptsrole_idfrom the creation form and persists it directly. - Admin edits a user — the
UserController::updatemethod accepts a newrole_idand overwrites the existing value.
UserTableSeeder is assigned role_id = 1 (Administrator) explicitly: