I want to be able to disable certain users in my laravel 7 app. I therefore created a column "active" in the "Users" table and when set to active = 0 the user isn't able to login anymore.
The issue I have is the "Remember Me" function, since already logged in users still have access to the app after I disabled their accounts, because they don't have to pass the login form.
Will deleting the "remember_token" in the "Users" table have any effect on this? I tried this with a user (deleted the users remember_token in table) but it had no immediate effect, since autologin still worked after that. But maybe I'm missing something here.
Additional Info: I'm using Laravel Passport for authentication.
I decided to go with the middleware solution, as I didn't want to reduce the overall SESSION_LIFETIME.
I created an extra middleware called "VerifyUserState", because I didn't succeed in reading the users "active" value via Auth::user() or $this->auth inside of the authenticate/handle function in Authenticated.php middleware.
I followed this tutorial to achieve this:
https://www.itechempires.com/2019/08/how-to-create-configure-and-use-custom-middleware-in-laravel-5-8/
Now it works as needed.
Related
I am building an app and will need multi auth to works well. First, users that will log as employees using table users with email and password. I´m using Voyager as backend and using roles and permissions. So far, so good. Now I have another kind of user: they are registered on an ERP and I reach then via WS using CPF (like the social-secure number) and password stored in ERP. Then I get then and record at a table all the data I need. It is working well as good. Well, was working. For those users, I used the API route, just not to make a mess on my web routes file. Yesterday I ran PHP artisan make:auth and that´s when things start to get crazy.
Every axios call now returns me an 'unauthorized' message cause, obviously, they´re not authenticated.
What would be better?
Refactory Users login to use CPF instead of email and give a new role for those others API guys and make then pass trough web.php file like everybody?
Use a multiauth package?
Or anything else?
Please, help!
To me, a user is a user. It seems to be a common thing that if an application has more than one “type” of user, that developers instantly start creating multiple Eloquent models, then guards, then controllers, then views, and so on; and then find themselves in a mess when they need a route that can be accessed by more than one type of user.
Instead, elevate “type” to its own model and add it as a relation to your User model. If a user can only be of one type, then make it a one-to-many relation. If a user can have many roles, then make it a belongs-to-many relation. You then use authorization to determine whether a user can access a route based on the role(s) they have.
I'm trying to figure out how quickest and easiest to allow the admin user on the site I'm building to access and update any user's settings etc. E.g. I've written the code for a regular user to update their settings (and various other actions). Ideally I want an admin to be able to "be" that user as far as my code is concerned, i.e. allow the admin to do anything a user can, to that user's account. Is there any way of doing this?
If I Auth::login() as admin then from the point of view of Laravel I'm the admin user and not the user they might want to edit. If I login as the user then I don't have admin rights (which in my case means an extra admin menu on the navbar with options to suspend or delete the user, or search for other users).
Any thoughts on how to do this please, or am I overcomplicating things? I am looking for a specific functions/code to allow this, rather than a general strategy. I'm using Laravel 5.4, deployed on Heroku. I know there's middleware but it doesn't seem to do what I want as above.
Many thanks.
You could do as suggested in the above comment by Tim Lewis, or you could accept an "override" property in the user edit page where you can pass a specific user ID and then view the page as that user. For instance, the method might look like this:
public function editUser(User $user=null) {
//User that you want to edit can be provided. If not provided, $user will be null and we will load the user that is currently logged in.
if($user!=null && Auth::user()->role=='admin')
$user_to_edit = $user;
else
$user_to_edit = Auth::user();
//other code goes here
}
Then, if you pass a $user object to the method, you will be given the edit page for that user, rather than the Admin. Otherwise, a user will be able to use the same route in order to always view their own edit page.
Be very careful with code like this! You will want to make sure that non-admins do not have the ability to load in a user object and see somebody else's information. That's why I added the $user->role check in the if/else statement, but you might want to add extra security in the form of middleware.
spatie permissions is a wonderful package that I use to make permissions to resources available to super-administrators. https://github.com/spatie/laravel-permission
I want to create one login for my two laravel application, one on subdomain portal.mydomain.com and the other is app.mydomain.com (if not logged in, will redirect to portal.mydomain.com).
In this case, I try to use database driver, so I create table session with laravelish style.
When I login via portal.mydomain.com, I see session data on table session is updated like this :
|id|user_id|ip_address|user_agent|payload|last activity
|ec4156b47e3e527af871c7b4b688393aee631cda|9|(myipaddress)|(myuser_agent)|YTozOntzOjY6Il90b2tlbiI7czo0MDoiWnQ1OXpBNzhsZ3I4ZVJUc2tXeEtiTExkU1R6T1hHSUNBYWxrSU1obCI7czo5OiJfcHJldmlvdXMiO2E6MTp7czozOiJ1cmwiO3M6MzQ6Imh0dHA6Ly95ZHBidWRnZXQudGFuZ2tvdGEuY29tL3Rlc3QiO31zOjY6Il9mbGFzaCI7YToyOntzOjM6Im9sZCI7YTowOnt9czozOiJuZXciO2E6MDp7fX19|1503693006
And on portal application, it successful to login. But when I try to access app application, it updated column user_id set to NULL and the payload change and its force logout on portal application too.
Idk why its updated the value on session table when its should be put the value
In my laravel project, I want some admin and user role. I want to make user login in different routes after login. And also for admin also. How should I do it?
You should first make 3 table in your database; user, role and user_role. user_role table has many to many relationship. Then you will make a middleware that checks your role checks when login. In your route, you use that middleware in login's post.
See details about middle ware in laravel 5.3 documentation.
https://www.laravel.com/docs/5.3/middleware
You can try laravel 5.3 boilerplate. It comes with a full featured access control system out of the box with an easy to learn API and is built on a Twitter Bootstrap foundation with a front and backend architecture.
I use two different applications in my CI installation. The first is called "admin"... obviously an admin panel. The second is "frontend" where everything else is. I use the same database for each of the apps and the same member tables, both for admin authentication and member auth. The problem is, since the CI session class doesn't use native PHP sessions, the session only works in the application that it is set in(which makes sense)... for example, if a user that is indeed an admin logs into the system through the frontend app and then clicks the link to the admin app, they are required to login again. If they have the "Remember Me" option selected across when they login to both apps, this obviously isn't a problem.
How would I fix this? Or do you guys think it's better to have them login to the admin app again, just to validate their admin status again?
Thanks for your time.
You could use the native php session instead. There's a class which you can just copy paste, and you'll not have to change any of the rest of your code.