Laravel's middleware system becomes more powerful with parameter passing, allowing dynamic behavior based on runtime values. This feature is particularly useful for role-based access control, rate limiting, or any scenario requiring configurable middleware logic.
namespace App\Http\Middleware; use Closure;use Illuminate\Http\Request; class EnsureUserHasRole{ public function handle(Request $request, Closure $next, string ...$roles) { if (!$request->user()?->hasAnyRole($roles)) { return response()->json([ 'error' => 'Insufficient permissions' ], 403); } return $next($request); }}
Let's explore how to implement role-based route protection:
use App\Http\Controllers\PostController;use App\Http\Middleware\EnsureUserHasRole; Route::prefix('posts')->group(function () { // Public routes Route::get('/', [PostController::class, 'index']); // Editor routes Route::put('/{id}', [PostController::class, 'update']) ->middleware(EnsureUserHasRole::class . ':editor'); Route::post('/', [PostController::class, 'store']) ->middleware(EnsureUserHasRole::class . ':editor'); // Admin routes Route::delete('/{id}', [PostController::class, 'destroy']) ->middleware(EnsureUserHasRole::class . ':admin');});
Parameterized middleware provides a clean way to implement dynamic authorization rules while keeping your routes and controllers lean.
