Overview The Restaurant Management System implements a robust multi-role authentication system using:
Laravel Sanctum for API token authenticationSpatie Laravel Permission for role-based access control (RBAC)Laravel Jetstream for authentication scaffolding
User Model The User model extends Laravel’s Authenticatable class and integrates multiple traits for comprehensive authentication features.
use Illuminate\Foundation\Auth\ User as Authenticatable ; use Spatie\Permission\Traits\ HasRoles ; class User extends Authenticatable { use HasApiTokens , HasFactory , Notifiable , HasRoles ; protected $fillable = [ 'name' , 'email' , 'password' , ]; protected $hidden = [ 'password' , 'remember_token' , ]; protected $casts = [ 'email_verified_at' => 'datetime' , 'password' => 'hashed' , ]; }
The HasRoles trait from Spatie provides methods like hasRole(), hasAnyRole(), and assignRole() for role management.
Available Roles The system supports three primary roles with distinct permissions:
Admin
Chef
Mesero (Waiter)
Full System Access
User management (create, edit, delete users)
Chef management
View and manage all orders
Access to all food, table, and reservation operations
Complete dashboard access
Kitchen Operations
Manage food menu items (create, update, delete)
View food categories
Update profile information
Limited to food-related operations
Front-of-House Operations
Manage table status and assignments
Handle reservations and table assignments
View and update table availability
Cannot access user or order management
Role-Based Middleware The system uses a custom RoleMiddleware that supports both Spatie roles and fallback usertype checking.
RoleMiddleware Implementation app/Http/Middleware/RoleMiddleware.php
public function handle ( Request $request , Closure $next , ... $roles ) { $user = Auth :: user (); if ( ! $user ) { abort ( 403 , 'No tienes permiso para acceder a esta página.' ); } // Normalize roles: can come as ['admin,chef,mesero'] or ['admin','chef'] $normalized = collect ( $roles ) -> flatMap ( function ( $r ) { if ( is_null ( $r ) || $r === '' ) { return []; } return array_map ( 'trim' , explode ( ',' , $r )); }) -> filter () -> unique () -> values () -> all (); // If Spatie is available, use its helpers if ( method_exists ( $user , 'hasAnyRole' )) { if ( $user -> hasAnyRole ( $normalized )) { return $next ( $request ); } } else { // fallback to usertype string if ( in_array ( $user -> usertype , $normalized , true )) { return $next ( $request ); } } abort ( 403 , 'No tienes permiso para acceder a esta página.' ); }
Route Protection Routes are protected using middleware with role specifications:
// Admin panel - accessible by admin, chef, or mesero Route :: prefix ( 'admin' ) -> name ( 'admin.' ) -> middleware ([ 'auth' , 'role:admin,chef,mesero' ]) -> group ( function () { // Dashboard accessible by all authenticated roles Route :: get ( '/dashboard' , [ AdminDashboardController :: class , 'index' ]) -> name ( 'dashboard' ); // Admin-only routes Route :: middleware ( 'role:admin' ) -> group ( function () { Route :: resource ( 'users' , AdminUserController :: class ); Route :: resource ( 'chefs' , AdminChefController :: class ); }); // Admin and Chef can manage food Route :: middleware ( 'role:admin,chef' ) -> group ( function () { Route :: resource ( 'foods' , AdminFoodController :: class ); }); // Mesero and Admin can manage tables and reservations Route :: middleware ( 'role:admin,mesero' ) -> group ( function () { Route :: resource ( 'tables' , AdminTableController :: class ); Route :: get ( 'reservations' , [ AdminReservationController :: class , 'index' ]); }); });
Post-Login Redirection After successful authentication, users are redirected based on their role:
app/Http/Controllers/HomeController.php
public function redirects ( Request $request ) { $user = Auth :: user (); if ( ! $user ) { return redirect () -> route ( 'home' ); } // Prefer Spatie roles if exists if ( method_exists ( $user , 'hasRole' )) { if ( $user -> hasAnyRole ([ 'admin' , 'chef' , 'mesero' ])) { return redirect () -> route ( 'admin.dashboard' ); } } // Fallback to usertype column switch ( $user -> usertype ?? null ) { case 'admin' : return redirect () -> route ( 'admin.dashboard' ); case 'chef' : return redirect () -> route ( 'chef.dashboard' ); case 'mesero' : return redirect () -> route ( 'mesero.dashboard' ); default : return redirect () -> route ( 'home' ); } }
The redirect logic first checks for Spatie’s hasRole() method, then falls back to a usertype column for backward compatibility.
Authentication Flow
User Registration & Login
Registration : New users register through Laravel Jetstream’s registration formRole Assignment : Admins assign roles to users through the admin panelLogin : Users authenticate with email and passwordRedirection : System redirects based on assigned roleSession Management : Laravel Sanctum manages API tokens and sessions
All admin panel routes require authentication: Route :: middleware ([ 'auth' , 'role:admin,chef,mesero' ]) -> group ( function () { // Protected routes here });
Cart and order routes require basic authentication: Route :: middleware ([ 'auth' ]) -> group ( function () { Route :: get ( '/cart' , [ CartController :: class , 'index' ]); Route :: post ( '/orderconfirm' , [ HomeController :: class , 'orderConfirm' ]); });
API Token Authentication The system uses Laravel Sanctum for API token management:
Provides token generation and validation methods for API authentication
Protects API routes and validates bearer tokens
Security Features
Password Hashing : Automatic bcrypt hashing via password castEmail Verification : Built-in email verification supportCSRF Protection : Laravel’s built-in CSRF middlewareRemember Token : Secure “remember me” functionalityRole Validation : Middleware prevents unauthorized access
Best Practices Important : Always assign roles to new users immediately after creation to ensure proper access control.
Use Spatie Permission : Leverage hasRole() and hasAnyRole() for role checksMiddleware Protection : Apply role middleware to all sensitive routesGraceful Fallback : Implement usertype fallback for legacy supportCentralized Redirects : Use the redirects() method for consistent post-login behaviorAudit Logs : Consider logging role assignments and permission changes 