Parameterized Middleware in Laravel
Last updated on by Harris Raftopoulos
Laravel's middleware system becomes more powerful with parameter passing, allowing dynamic behavior based on runtime values. This feature is particularly useful for role-based access control, rate limiting, or any scenario requiring configurable middleware logic.
namespace App\Http\Middleware; use Closure;use Illuminate\Http\Request; class EnsureUserHasRole{ public function handle(Request $request, Closure $next, string ...$roles) { if (!$request->user()?->hasAnyRole($roles)) { return response()->json([ 'error' => 'Insufficient permissions' ], 403); } return $next($request); }}Let's explore how to implement role-based route protection:
use App\Http\Controllers\PostController;use App\Http\Middleware\EnsureUserHasRole; Route::prefix('posts')->group(function () { // Public routes Route::get('/', [PostController::class, 'index']); // Editor routes Route::put('/{id}', [PostController::class, 'update']) ->middleware(EnsureUserHasRole::class . ':editor'); Route::post('/', [PostController::class, 'store']) ->middleware(EnsureUserHasRole::class . ':editor'); // Admin routes Route::delete('/{id}', [PostController::class, 'destroy']) ->middleware(EnsureUserHasRole::class . ':admin');});Parameterized middleware provides a clean way to implement dynamic authorization rules while keeping your routes and controllers lean.
Filed in:
