so I made a policy and whatever I do the Web page returns 403. im very new to laravel so most likely im missing something :)
I made a model by
php artisan make:model exercise | (I know I'm supposed to capitalize models but it was a typo)
Controller:
php artisan make:controller ExercisesController
Policy:
php artisan make:policy ExercisePolicy -m exercise
I registered policy in AuthServiceProvider.php (Also tried as 'App\Models\exercise'=>'App\Policies\ExercisePolicy'):
protected $policies = [
// 'App\Models\Model' => 'App\Policies\ModelPolicy',
exercise::class => ExercisePolicy::class,
];
In ExercisesController.php this is the function in which I use authentication:
public function create(\App\Models\User $user)
{
$this->authorize('create', $user);
return view('exercises/create');
}
And in policy this is how my create function looks like
public function create(User $user)
{
return $user->admin == true;
}
The route:
Route::get('/exercises/create', [App\Http\Controllers\ExercisesController::class, 'create']);
I tried putting die("Policy is called); and trying to just return true from the policy create function to check if it gets to that but it still returned 403 , at this point I'm pretty sure that the policy itself is not being called as it also returns 403 on default
If anyone could help thanks in advance!
The call to authorize is using the second argument to figure out what Policy to use. Since the second argument is $user it would be looking for a Policy for the User model which you have not defined. To use the Policy for the exercise model you would have to pass the class name so it would know what Policy to use:
$this->authorize('create', exercise::class);
Though you should correct your typo and rename the exercise.php file to Exercise.php and the classname to Exercise.
Laravel 8.x Docs - Authorization - Writing Policies - Methods without Models
Laravel 8.x Docs - Authorization - Authorization Actions using Policies - Via Controller Helpers - Actions That Don't Require Models
I had this same issue and what I learnt was that Policies would work only on authenticated route.
Make sure your request is authenticated while implementing policies.
Related
So I created a middleware to limit the data a connected user has access to by adding global scopes depending on some informations:
public function handle(Request $request, Closure $next)
{
if (auth()->user()?->organization_id) {
User::addGlobalScope(new OrganizationScope(auth()->user()->organization));
}
return $next($request);
}
The middleware is added to the 'auth.group' middleware group in Kernel.php which is used in web.php:
Route::middleware(['auth.group'])->group(function () {
Route::resource('users', UserController::class);
});
Then in the controller, I would expect a user to get a 404 when trying to see a page of a user he has no rights to. But the $user is retrieved before the middleware applies the global scope!
public function show(User $user, Request $request) {
// dd($user); // <= This actually contains the User model! It shouldn't, of course.
// dd(User::find($user->id)); // <= null, as it should!
}
So, the dependency is apparently calculated before the middleware is applied. If I'm trying to move the middleware into the 'web' group in Kernel.php it's the same. And in the main $middleware array, the authenticated user's data is not available yet.
I found this discussion that seems to be on topic : https://github.com/laravel/framework/issues/44177 but the possible solutions (and Taylor's PR) seems to point to a solution in the controller itself. Not what I'm trying to do, or I can't see how to adapt it.
Before that I was applying the global scopes at the Model level, in the booted function (as shown in the docs). But I had lots of issues with that - namely, accessing a relationship from there to check what is allowed or not is problematic, as the relationship call will look for something in the Model itself, and said model is not ready (that's the point of the booted method, right...). For example, checking a relationship of the connected user on the User model has to be done with a direct query to the db, that will be ran every time the Model is called... Not good.
Anyway, I like the middleware approach as it is a clean way to deal with rights as well, I think. Any recommandation?
Not a recommendation, just my opinion.
This issue is just because of that Laravel allow you add middleware in controller constructor, and that's why it calculate before midddleware in your case.
I agree that middleware is a clean way to deal with auth, but i also think that you are not completely doing auth in your middleware, for example if you create a new route will you need to add something auth action into your new controller or just add auth middleware to route?
If does needs add something to controller, that means your auth middleware is just put some permissions info into global scope and you are doing the auth in controller which i think it's not right.
Controller should be only control the view logic, and you should do full auth in your auth middleware, once the request passed into your controller function that means user passed your auth.
For some example, if you auth permissions like below, you can just add auth middleware to new route without any action in your controller when you trying to create new route.
public function handle(Request $request, Closure $next)
{
if (auth()->user()->canView($request->route())) { // you should do full auth, not just add informations.
return $next($request);
}
else
abort(404);
}
I'm trying to test an authenticated API route which only an authenticated user can post to a specific route.
Looking at the Laravel Sanctum docs, I can use the code below to create and authenticate a user:
Sanctum::actingAs(
factory(User::class)->create(),
['*']
);
When I try replicate this, I get an error running the test
BadMethodCallException: Call to undefined method App\User::withAccessToken()
My test code is as follows:
public function an_authenticated_user_can_add_a_client()
{
$user = Sanctum::actingAs(
factory(User::class)->create(),
['*']
);
dd($user);
// $this->post('/api/clients', $this->data());
}
api.php
Route::middleware('auth:sanctum')->group(function () {
//Clients
Route::get('/clients/{client}','ContactsController#show');
Route::post('/clients','ContactsController#store');
Route::patch('/clients/{client}','ContactsController#update');
Route::delete('/clients/{client}','ContactsController#destroy');
});
I don't have the method withAccessToken() in my User class and can't see where this method is coming from or specified anywhere.
Any help would be greatly appreciated.
Laravel Sanctum for SPA uses normal session authentication so the default actingAs method works fine. The actingAs method in Sanctum is meant to use for api tokens. Hope it helps.
Your User model is missing the HasApiTokens trait, that gives the function you are missing to the User model. Also described in the documentation, under the section Issuing API Tokens.
use Laravel\Sanctum\HasApiTokens;
class User {
use HasApiTokens;
}
Since 2 weeks I work in a projet of devlopment of a application. I must creat many CRUD and it may take many times. Now I want to know if I can use a free crud generator laravel.If yes, which generator?
Need your Help please.
Command:
php artisan make:model User -mrc
RESTful Resource controller
A RESTful resource controller sets up some default routes for you and even names them.
Route::resource('users', 'UsersController');
Gives you these named routes:
Verb Path Action Route Name
GET /users index users.index
GET /users/create create users.create
POST /users store users.store
GET /users/{user} show users.show
GET /users/{user}/edit edit users.edit
PUT|PATCH /users/{user} update users.update
DELETE /users/{user} destroy users.destroy
And you would set up your controller something like this (actions = methods)
class UsersController extends BaseController {
public function index() {}
public function show($id) {}
public function store() {}
}
You can also choose what actions are included or excluded like this:
Route::resource('users', 'UsersController', [
'only' => ['index', 'show']
]);
Route::resource('monkeys', 'MonkeysController', [
'except' => ['edit', 'create']
]);
RESTful Resource Controller documentation
Implicit controller
An Implicit controller is more flexible. You get routed to your controller methods based on the HTTP request type and name. However, you don't have route names defined for you and it will catch all subfolders for the same route.
Route::controller('users', 'UserController');
Would lead you to set up the controller with a sort of RESTful naming scheme:
class UserController extends BaseController {
public function getIndex()
{
// GET request to index
}
public function getShow($id)
{
// get request to 'users/show/{id}'
}
public function postStore()
{
// POST request to 'users/store'
}
}
Implicit Controller documentation
It is good practice to use what you need, as per your preference. I personally don't like the Implicit controllers, because they can be messy, don't provide names and can be confusing when using php artisan routes. I typically use RESTful Resource controllers in combination with explicit routes.
Laravel already provides CRUD operation see: laravel.com/docs/5.8/controllers#resource-controllers
Laravel resource routing assigns the typical "CRUD" routes to a controller with a single line of code. For example, you may wish to create a controller that handles all HTTP requests for "photos" stored by your application. Using the make:controller Artisan command, we can quickly create such a controller:
php artisan make:controller PhotoController --resource
[EDIT 1]
Or you can choose for example: Laravel-Backpack/CRUD which comes with an Admin panel and others things like that.
[EDIT 2]
Also you can refer this Laravel blog to choose a generator:
https://laravel-news.com/13-laravel-admin-panel-generators
[EDIT 3]
Again on Laravel Blog you can see that Laravel is constantly evolving a new Artisan command have been added see:
laravel-news.com/laravel-resources-artisan-command
I'm in the process of upgrading a Laravel 4.2 app I inherited to Laravel 5.2. The app has multiple roles for logged in users that were handled with a before filter. Each controller has an array of functions and roles allowed for those functions:
public $actionFilter = [
'directories-create'=>['super','tsr'],
'directories-destroy'=>['super','tsr'],
'directories-edit'=>['super','tsr'],
'directories-directoryinfo'=>['super','tsr','admin'],
'directories-index'=>['super','tsr'],
'directories-store'=>['super','tsr'],
'directories-update'=>['super','tsr'],
];
then in the construct function it calls two beforeFilters that were in Controller.php
public function __construct()
{
$this->beforeFilter('#filterAuthorization');
$this->beforeFilter('#rerouteSite');
}
Controller.php had a public function filterAuthorization that checked if user's role had access to the route, and a public function rerouteSite that allowed user to stay on the same page but switch between accounts (for example, for a support rep).
I've spent a fair amount of time reading the manual, Googling and reading various tutorials, but I'm still unclear how to get my route-role array connected to the auth middleware. The Laravel docs provide syntax but not the context and the examples I've read either take a different approach or have a different usecase from mine.
I tried leaving the filter functions in Controller.php and calling them like this in the construct:
public function __construct()
{
$this->middleware('#filterAuthorization');
$this->middleware('#rerouteSite');
}
I get an error message: "Class #filterAuthorization does not exist"
I tried putting those functions in app\Http\Middleware\Authenticate, but I get the same error message: "Class #filterAuthorization does not exist"
I followed the steps on Matt Stauffer's blog here (https://mattstauffer.com/blog/laravel-5.0-middleware-filter-style/) and here (https://mattstauffer.com/blog/passing-parameters-to-middleware-in-laravel-5.1/) and on Nwanze Franklin's post here (https://dev.to/franko4don/deep-dive-into-middlewares-in-laravel-doo) as follows.
Create two new middleware files with Artisan
php artisan make:middleware FilterAuthorization
php artisan make:middleware RerouteSite
Edit the new middleware files with the functions from the old Controller.php
Register the new middleware in App\Http\Kernel
protected $routeMiddleware = [
'filterauth' => \Illuminate\Routing\Middleware\FilterAuthorization::class,
'reroutesite' => \Illuminate\Routing\Middleware\RerouteSite::class,
];
Edit the public function __contstruct() in the Controllers than need filtering
public function __construct()
{
$this->middleware('FilterAuthorization');
$this->middleware('RerouteSite');
}
Run
composer dump-autoload
php artisan clear-compiled
php artisan optimize
and I still get the same error:
Class FilterAuthorization does not exist
I'm sure there's a simple way to put this together without rewriting the whole role authorization system. Can someone point me in the right direction?
The kernel registration needs to reference the correct file locations as follows:
'filterauth' => \App\Http\Middleware\FilterAuthorization::class,
'reroutesite' => \App\Http\Middleware\RerouteSite::class,
And the controller boot should use the aliases rather than the class names:
public function __construct()
{
$this->middleware('filterauth');
$this->middleware('reroutesite');
}
Then Laravel can find the custom middleware.
I am attempting to use authentication for application through api, but when I set the guard in middleware it does not work and returns 403 exception.
I have this route guard in controller constructor:
public function __construct()
{
$this->middleware('auth:api');
}
Anytime I use Auth::user() the 403 is returned. Is something being missed?
For using Auth::user() make sure your routes are protected by api midlleware()
For using a user u can specify
Auth::gaurd('api')->user();
Hope this helps