odan
commented
2 years ago A session package is not responsible for checking the user for a specific "role", because RBAC or ACL is a different concern. The SessionMiddleware only ensures that the session is startet, but not more. To protect your routes you can add a custom "UserAuthMiddleware" to your routing group that reads the user from the session and checks it against a specific group. If the User is not is this group, the middle UserAuthMiddleware could throw a HttpForbiddenException.
debabratadev
Can you please direct me how to use SessionMiddleware to protect a route or group? I am not able to find an example.
For example, how to protect admin group here? let's say we want to check if session contains "Admin" Role then allow otherwise through an error.
$app->group('/admin', function (RouteCollectorProxy $group) { // ... })->add(SessionMiddleware::class);Thanks in advance.