Hello there I am working on a project in Laravel in which i need to assign permission to each user so that i could verify on each blade file or controller function to check whether the current user has the permission to perform this. Moreover, the side nav links are also generated using these permissions dynamically.
I created two tables:
1: User => [ID, Name .....]
2: Permissions => [ID, Name, user_id(fk)]
To solve this problem, i have stored all the permissions of users in session at the time of login. So that i can verify all permissions on each page and generate links fetching from session.
Is that good approach or there is any better solution for this
It would be good if you had share more code but i can see what you are want to archive. Firstly you dont need to store in the Session because you have already a relation between user Object and Permission. Add to your User model this lines of code:
public function permissions() {
return $this->belongsTo(User::class);
}
Then you have access in your blade or controller to the permission. Small example in the controller:
$user = User::find(1);
dd($user->permissions);
// you can write a condition to check if user has Permission etc.
Yes you can store this is the session. But the more better option will be to get the permission through relation object like
user::find(1)->permissions()
Well if you're asking "better solution" ... but I Not sure if it's too late for this information since you're already developing the project. However, I would recommnend this package for your long term management (for both user and dev).
Spatie Laravel-permission package
It has Role based permission and Direct permission design (which is similar to your design). Once you installed the package then role and permission tables are created for you.
Once you created desired roles with permissions, it's easy for you to manage which page to allow for which role and which button show be shown.
You can check roles in your controller for those who can view this page.
In blade, you can check both roles and permission for which button to show or disable.
Hence, your don't need to worry about session settings or session expires. It's better for maintaining and development in future.
The Spatie package has simple syntax and easy to work with.
Installation:
composer require spatie/laravel-permission
Syntax:
Basic usage and syntax
There are plenty information or tutorials out there.
Related
I am creating a Laravel project for the users. Laravel has its own laravel/ui package, but I am creating its admin panel too, and I am a bit confused about what I should do for admins. Also, I am confused about the security for the admin panel. So there are 2 solutions in my mind:
Add a new column in the user's table named status, and if its value is admin, he can access the admin panel; otherwise, redirect to the homepage.
Create a separate admins table and improve laravel/ui auth. For that, I found documentation here.
What should I do? Even i have added table prefix for tables in .env & config/database.php. I am afraid that the hackers/users should not access the admin panel. And also, tell me if the table prefix is good for security, or should I remove the table prefix?
You need the permission-roles system.
https://spatie.be/docs/laravel-permission/v4/introduction
This is good decision for you. With well-configured routes no one wont have access in admin panel without access in data base.
For example, in panel page only admin have access:
Route::name('adminspace.')->group(['middleware' => ['role:admin']], function () {
Route::view('/panel', 'pages.panel');
});
I have designed a store with Laravel 6 ,and used laravel-permission 3 for user management. I'd like to restrict every crud action by a definite permission (e.g. add product, delete product).
There is a short description about using wildcard permission in Spatie, but I'm not sure about it. I don't know where is the best place in defining these restrictions.
Here is a route sample for creating and editing product and their middleware (restrictions by permissions).
Route::get('/create','Controller#create')->name('create')->middleware('permission:add product');
Route::post('/store', 'Controller#store')->name('store')->middleware('permission:add product');
Route::get('/{product}/edit', 'Controller#edit')->name('edit')->middleware('permission:edit product');
Route::patch('/{product}/update', 'Controller#update')->name('update')->middleware('permission:edit product');
I suggest that use Laravel’s Model Policies, you can find more information in the link below.
https://docs.spatie.be/laravel-permission/v3/best-practices/using-policies/
Furthermore, You can find an example of implementing a model policy with this Laravel Permissions package in this demo app:
https://github.com/drbyte/spatie-permissions-demo/blob/master/app/Policies/PostPolicy.php
How to create a new article from joomla front-end by registered user. I tried a lot but i cant solves the problem.
Only super user can create a new article.
I create a new menu called create article in main menu and its access is gives to registered. But i still got the error
An error has occurred.
The requested page cannot be found.
Home Page
If difficulties persist, please contact the System Administrator of this site and report the error below.
403 You are not authorised to view this resource.
when i will try to create a new article by registered user from front-end.
Please help me for this.
Thanx in advance...
By default registered users do not have create rights, you need to be an author for that.
You can do what you want in two ways, change the permission for Registered in com_content for Create to Allowed or you could change the default user group for new users to Author. YOu set the default group in the user manager options.
The working of user role in joomla is something like this:
$user =& JFactory::getUser();
//print_r($user);
//echo $user->get('gid');
if($user->get('gid') == 25 ){
//allow user
} else{
//disallow or redirect to somewhere
}
The above code allows for user group 25 only.
What you need to do is:
Find the code for registered user and include the user group code in if condition.
Note: You can find the user group code from jos_users table.
I'm building a component for the backend. I don't want the users who will access it to access ANYTHING else in the backend except for this component.
I tried following these two instructions:
http://www.aclmanager.net/blog/general/31-how-to-add-basic-acl-support-to-your-extension
http://docs.joomla.org/Developing_a_Model-View-Controller_%28MVC%29_Component_for_Joomla!1.6_-_Part_14#Describing_the_ACL
I made a new User Group with a parent of public and allow admin login (which would lock them out of everything) and then tried adding the ACL code from those links above with permissions to create and edit but I just get a blank screen (not even a logout link). The "Debug Permissions Report" showed the correct permissions but nothing's showing up.
Any ideas? My next step is to manually go through every component and not allow access to that new User Group but it seems like there's an easier way.
Thanks!
In Joomla! 2.5 we regularly create "Content" only backend users that have access only to the 'com_content' component.
Going back through our steps the only thing you haven't specified is adding the new user group to a View Access Level. If you're using the standard sample content installed when setting up a Joomla! website you can add your new user group to the "Special" view access (although any will do).
If a new group has 'admin login' privileges it can login but without a View Access level it can't see anything.. it's a subtle difference but it's the way Joomla! works.
I am utilizing a custom MY_Controller to authenticate users on my Codeigniter website.
I utilize $this->load->vars($data); such that I can access the users information in views.
My first question is, does $this->load->vars($data); allow access in models, and if so how - i couldn't find any information. If not, how can I get my logged in users username to my models without having to pass it through a controller every time?
Secondly... if the user is not logged in, I redirect them redirect(base_url() . 'account/login');
This works great, except because my account controller also extends MY_Controller, it gets stuck in an infinite redirect loop. I can just not extend the custom controller for this page, but I see no reason why a logged in user should not still be able to look at the login page.. any ideas?
Finally.. if a user is logged in, $user['username'] is defined in my views.
If a user is not logged in, it is not defined.
As such if i have if($user['username']!=''){ within my code, when a user IS logged in, all is fine and the code executes, however when no user is logged in errors pop up as regards an undefined variable being used in an if statement...
Codeigniter being difficult..
What is the work around here?
Many Thanks !!
I agree with Chris about storing user details in the session.
To check if a user is logged in you could write a gatekeeper function and place it in the controllers construct to protect controllers (and therefore the views).
Something like;
function gatekeeper()
{
if (!isset($this->session->item('username')) || !$this->session->item('username'))
{
redirect('/account/login);
}
}
I would consider storing the userdata for the currently logged in user in the session so that you don't need to query it and pass it to the view every time. You can access session data in the controllers, views and models with $this->session->userdata('your_userdata_var_name');.
The reason $user['username'] displays an error is probably because it's being completely removed, not set to an empty string (''), in which case you are trying to access an undefined array key.