Laravel permission still allowing me to access a page

Question

I'm trying to stop a user from accessing a page. I'm using https://spatie.be/docs/laravel-permission/v3/introduction in my laravel app.

The problem I'm having is that the user is still able to access the page even when the permission is turned off.

So I have a page called user-info.blade.php that allows a user to read and update a user's info and only specific people are able to do it.

I have 2 permissions manage users and view users. manage users allows you to update and delete a user where as the view users only lets you view them.

The problem I'm having is when I switch manage users off for a user that user can still access that page. All my UI stuff disappears, like my buttons, but if I go to that page directly from the url I can still access it.

This is in my api.php

Route::get('/manage-users', [ UserController::class, 'manageUsers'])->middleware('can:manage users');
Route::get('/users', [ UserController::class, 'getUsers'])->middleware('can:view users');

I'm not sure what other code to add to my question or what other information to give.

Answer 1

(I would rather put my answer as a comment but since I'm unable to comment I'm posting it as an answer.)

If I understand your user-info.blade.php page is accessible for both manage users and view users permissions. If that's the case, turning off manage users permission will only prevent them from updating the information, they will still be able to view data (meaning they are able to access the page ) . You probably need to turn off view users too if you don't want them to access the page.

And I don't understand why you are using api to prevent users from accessing a page.