Authentication & Authorization

Session-Based Auth

The Portal uses session-based authentication. Users log in at /login (the Signin Livewire component), which sets session variables:

• session('userid') — The user’s ID
• session('usertype') — Integer role code (see below)
• session('internal_user_id') — Set for internal/staff users

Logout is handled by RegistrationController@logout at /logout.

User Types (Roles)

Defined in app/Constants/Role.php:

These are stored as the role column on the users table.

Middleware

Four session-check middleware classes control panel access. They are registered as aliases in the kernel and used in routes/web.php.

AdminSession (app/Http/Middleware/Admin.php)

Allows: session('usertype') == 1 OR session('internal_user_id') is set
Redirects to: /login

Admin users with usertype == 1 are the original superadmins. Internal users (staff members stored in the internal_users table) also get access. For Filament routes (internal-admin*), the middleware additionally calls Auth::login() to authenticate the user into Laravel’s auth system.

LandlordSession (app/Http/Middleware/Landlord.php)

Allows: session('usertype') in [2, 7]
Redirects to: /login

Also checks the USE_BOOST_CREDITS feature flag and stores the result in the session. Restricts B2B dashboard access to allowed user IDs.

ModeratorSession (app/Http/Middleware/Moderator.php)

Allows: session('usertype') in [4, 5, 6, 7, 9]
Redirects to: /login

Allows moderators, managers, moderator admins, operators, and power users.

BusinessToBusinessSession (app/Http/Middleware/BusinessToBusiness.php)

Allows: session('usertype') == 8
Redirects to: /login

Permission System (Admin Panel)

Beyond basic usertype checks, admin routes use a granular permission system via the CheckPermission middleware.

How It Works

1. Superadmins (usertype == 1) bypass all permission checks.
2. Internal users with admin role bypass all permission checks.
3. Internal users with manager role bypass all checks except user-management.
4. Other internal users must have the specific permission slug assigned to one of their roles.

Database Tables

• internal_users — Staff user accounts (separate from the main users table)
• internal_roles — Role definitions (model: Role)
• internal_permissions — Permission definitions (model: Permission)
• internal_role_user — Many-to-many: internal users to roles
• internal_permission_role — Many-to-many: roles to permissions

Models

• InternalUser (app/Models/InternalUser.php) — Extends Authenticatable, has roles() relationship, hasRole() and hasPermission() methods.
• Role (app/Models/Role.php) — Maps to internal_roles, has permissions() and users() relationships.
• Permission (app/Models/Permission.php) — Maps to internal_permissions, has roles() relationship.

Permission Slugs Used in Routes

From routes/web.php, the following permission slugs are enforced:

• user-management — Admin user management
• drops — Push notification drops
• concierge — Concierge enquiry management
• documents — Document management
• houses — House listing management
• insights — Analytics dashboard
• agents — Agent management
• students — Student management
• perks — Perks and events management
• customer-support — Customer support and contract uploads
• notifications — Notification management
• university-expansion — University expansion tools

Caching

Permission lookups are cached for 1 hour per internal user ID using Laravel’s Cache::remember():

• user_has_admin_role_{id}
• user_has_manager_role_{id}
• user_permissions_{id}

Filament Auth

The Filament panel at /internal-admin uses the AdminSession middleware as its authMiddleware. This means the same session-based authentication applies. When accessing Filament routes, the Admin middleware also calls Auth::login() with the session user to satisfy Filament’s built-in auth requirements.

Password Reset

• /forgot — ForgotPassword Livewire component
• /resetPassword — ResetPassword Livewire component
• /reset/{id} — ResetPasswordContainer (token-based reset)