I have a nicely working basic install of Laravel JetStream and Spatie's laravel-permission in Laravel 8.
I can assign a role to the user during registration via
$user->assignRole('visitor');
return $user;
and can restrict the available menu items on the user's dashboard through the permissions I have assigned to the role in my seeder filés run method:
Permission::create(['name' => 'access profile']);
Permission::create(['name' => 'access logout']);
$visitor = Role::create(['name' => 'visitor']);
$visitor->givePermissionTo('access profile');
and through the can directive in the view, like:
#can('access profile')
<!-- Account Management -->
<div class="block px-4 py-2 text-xs text-gray-400">
{{ __('Manage Account') }}
</div>
<x-jet-dropdown-link href="{{ route('profile.show') }}">
{{ __('Profile') }}
</x-jet-dropdown-link>
#endcan
So by that, I can hide the menu item as per role but unfortunately, I can still access the functionality directly, by knowing the exact URL.
I guess I have to write a middleware to restrict access to certain functions, but how exactly?
What is the proper and accepted way to handle this problem in this stack?
Thanks!
Armand
So everything seems fine BUT (!)
How is it possible to forbid direct access to the hidden items? I guess in this case routes are controlled by sanctum, while roles and permissions are by Spatie's package.
Is it possible to link the two?
Thanks!
Did you try this? It seems like they added exactly the same for Spatie. Nevertheless I think you need to add a gate permission check like
abort_if(Gate::denies('permission'), Response::HTTP_FORBIDDEN, '403 Forbidden');
on every action
I would see if you can utilize laravel's built in can middleware. Then you might be able to update your route definitions. Something like
Route::get('/profile', 'ProfileController#index')->middleware('can:access profile');
I haven't done this with the package you're using, but I think it should work if the other built-in functionality like blade #can work.
Related
I am new to Laravel and I am confused with these snippets that I got automatically when I installed the laravel UI by using the command compose require laravel/ui I am not quite getting what it's trying to do.
#if (Route::has('login'))
<div class="top-right links">
#auth
Home
#else
Login
#if (Route::has('register'))
Register
#endif
#endauth
</div>
#endif
In English, it's saying that if you have laravel/ui installed and Auth::routes() in the web.php routes file then if you also logged in (authenticated) show the "Home" link. Otherwise, if you are not logged in, show the login link and then if there is a route for 'register' then display the register link. You can verify your current routes from the command line by issuing: php artisan route:list.
The code snippet is just to show the Menu Link based on whether you are logged in or not
#if (Route::has('login'))
<div class="top-right links">
#auth
Home
#else
Login
#if (Route::has('register'))
Register
#endif
#endauth
</div>
#endif
In the above code snippet #if (Route::has('login')) It just checks if you have any route that is registered with name login if yes
#auth this one checking if you are already logged in then it will show 'Home' link else it will show 'Login' link
#if (Route::has('register')) this one again checking if you have any route defined with name register then it will also show 'Register' link as well
In Laravel 7 / blade app using "albertcht/invisible-recaptcha": "^1.9"
I added rule
'g-recaptcha-response' => 'required|captcha'
to pages with common access as login, regsiter, contact_us
and added captcha in for definition of all these forms, like:
<form method="POST" action="{{ route('login') }}" aria-label="{{ __('Login') }}">
{{ csrf_field() }}
#captcha('en')
Can I consider all these pages safe from externall attacks?
Have I to take some additive steps? If yes, which ?
Thanks!
All captchas will protect your forms only from spam attacks.
There are also many other ways for attacking which you may consider other methods for protecting your forms.
But captcha (even invisible-recaptcha) will protect your forms from spammers.
I have multiple guards in my system
Admin
User
Admin and User both can add the Organizations details but they have different template layout. What i'm doing now i create views of each guard like this
views
user
organizations
index.blade.php
_form.blade.php
create.blade.php
edit.blade.php
admin
organizations
index.blade.php
_form.blade.php
create.blade.php
edit.blade.php
Now i want to create one views which can be used by multiple guards with different layouts
views
organizations
index.blade.php
_form.blade.php
create.blade.php
edit.blade.php
From the Laravel Blade Documentation:
If needed, you may specify the authentication guard that should be checked when using the #auth and #guest directives:
#auth('admin')
// The user is authenticated...
#endauth
#guest('admin')
// The user is not authenticated...
#endguest
I am building an application with Laravel and Vue.js. I am using vue router. With this I am controlling all routes. Now, I want to make an url xyz.com/admin which will different (Laravel new route, I want to work with this admin separately). I am using this below code, but not working.
Route::get(
'/admin/{view?}',
"AdminController#index"
);
Route::view('/{any}', 'home')->where('any', '.*');
I also remove the admin link from <router-link>
<v-list-tile-title v-if="isAdminMethod===true">
Admin Panel
</v-list-tile-title>
<v-list-tile-title v-else>
<router-link :to="{ path: i.to }">
{{ i.title}}
</router-link>
</v-list-tile-title>
How about you try something like
Route::get(
'/admin/{view?}',
"AdminController#index"
);
or it might be worth looking into something like InertiaJS.
Let me know if you have any further queries.
I'm trying to find the route that has connected a view and controller in a code i'm editing.
This is how route is included in the view.
<a href="{{ route('admin.provider.edit', $provider->id) }}" ></i> Edit</a>
Try
use \App\Http\Controllers\ControllerName;
{{ ControllerName::Functionname($params); }}
Go to your console a run the next command:
php artisan route:list
This will output something like this:
Right there you can see a lot of information such as: Domain, Method, URI, Name, Action and Middleware. That's the best way to find what you want!