Btw, storing user’s roles in the session can become a security hole. After a successful login, roles can’t be revoked from the user until the session ends, and a session - technically - can be kept alive for years.
Yes, that would be the only safe way, but it depends on the security requirements of application. For very simple websites with one or two admin users I do store user’s role in the session For anything with more complex acces control I wouldn’t do it.