Where to define permissions for every crud action in laravel - laravel

I have designed a store with Laravel 6 ,and used laravel-permission 3 for user management. I'd like to restrict every crud action by a definite permission (e.g. add product, delete product).
There is a short description about using wildcard permission in Spatie, but I'm not sure about it. I don't know where is the best place in defining these restrictions.
Here is a route sample for creating and editing product and their middleware (restrictions by permissions).
Route::get('/create','Controller#create')->name('create')->middleware('permission:add product');
Route::post('/store', 'Controller#store')->name('store')->middleware('permission:add product');
Route::get('/{product}/edit', 'Controller#edit')->name('edit')->middleware('permission:edit product');
Route::patch('/{product}/update', 'Controller#update')->name('update')->middleware('permission:edit product');

I suggest that use Laravel’s Model Policies, you can find more information in the link below.
https://docs.spatie.be/laravel-permission/v3/best-practices/using-policies/
Furthermore, You can find an example of implementing a model policy with this Laravel Permissions package in this demo app:
https://github.com/drbyte/spatie-permissions-demo/blob/master/app/Policies/PostPolicy.php

Related

Laravel spatie package

I am using Laravel spatie package. I want to create a permission module for each controller and each controller has create, read, update and delete. Foe example, I have product controller and I don't want to create permission for that controller like => "create_product", "read_product", "update_product" and "delete_product". What I want is I want to name the permission as product and sub permission for that with create, read, update and delete in same column. Please share me some solution how can I achieve this. Thanks in advance!
What I use in laravel is the policies. Each model has its Policy with the create(), update(), destroy(), ... and other functions. You can add your own logic in these functions.
You can check the documentation for more details: laravel-official-documentation

Storing User Roles in Session Laravel

Hello there I am working on a project in Laravel in which i need to assign permission to each user so that i could verify on each blade file or controller function to check whether the current user has the permission to perform this. Moreover, the side nav links are also generated using these permissions dynamically.
I created two tables:
1: User => [ID, Name .....]
2: Permissions => [ID, Name, user_id(fk)]
To solve this problem, i have stored all the permissions of users in session at the time of login. So that i can verify all permissions on each page and generate links fetching from session.
Is that good approach or there is any better solution for this
It would be good if you had share more code but i can see what you are want to archive. Firstly you dont need to store in the Session because you have already a relation between user Object and Permission. Add to your User model this lines of code:
public function permissions() {
return $this->belongsTo(User::class);
}
Then you have access in your blade or controller to the permission. Small example in the controller:
$user = User::find(1);
dd($user->permissions);
// you can write a condition to check if user has Permission etc.
Yes you can store this is the session. But the more better option will be to get the permission through relation object like
user::find(1)->permissions()
Well if you're asking "better solution" ... but I Not sure if it's too late for this information since you're already developing the project. However, I would recommnend this package for your long term management (for both user and dev).
Spatie Laravel-permission package
It has Role based permission and Direct permission design (which is similar to your design). Once you installed the package then role and permission tables are created for you.
Once you created desired roles with permissions, it's easy for you to manage which page to allow for which role and which button show be shown.
You can check roles in your controller for those who can view this page.
In blade, you can check both roles and permission for which button to show or disable.
Hence, your don't need to worry about session settings or session expires. It's better for maintaining and development in future.
The Spatie package has simple syntax and easy to work with.
Installation:
composer require spatie/laravel-permission
Syntax:
Basic usage and syntax
There are plenty information or tutorials out there.

Laravel Nova - output forms on front end?

I am building a system that uses Laravel Nova for managing resources.
There are a couple of instances where I want non-admin users to be able to create resources. The ideal solution would be to define the resource in Nova and embed Nova's own create form on the front end of the site.
Has anyone done anything similar, or have any suggestions how to go about this?
I believe you can use the same endpoints that Nova is using.
For example to get all the fields of a resource:
GET updating fields:
http://{url}/nova-api/{resource}/{id}/?editing=true&editMode=update
GET creation fields:
http://{resource}/nova-api/{resource}/creation-fields?editing=true&editMode=create=
After the user has filled out the fields, you can use this endpoint to save the new values:
PUT:
http://{url}/nova-api/{resource}/{id}

Laravel limiting access to route

I am trying to implement a basic image fetch system for my website. Already created a route that returns me the image.
what concerns me is that i want that route to be only accessible by certain controllers.
Tried to search it and found out passport might be viable option but it's pretty complex for this app. Are there any possible options ?
EDIT:
Sorry for providing insufficient information. I want the route to be accessible only by CONTROLLERS, not by anyone who enters the route url to address bar. Like using it as an api maybe.
There several ways to achieve that, you can use middleware, you can consider using packages like entrust which also require you to have some knowledge about using middleware. or use laravel Auth
create a table add all the routes in that table and then check the allowed route in AppService provider.
$routename = Request::route()->getName();
$allowed_route = AllowedRoutes::where("route","=",$routename)->count();
if($allowed_route == 0)
exit();

How to deny access to certain routes / views for users

I am trying to deny access for users other than the one with id=1 (in my case it's admin) to 'cpanel' (admin panel) view. I was trying to achieve this with ACL, but somehow I think that this is not the most correct way.
This is what I want to do in pseudocode version
if (isAdmin())
renderPage()
else
print "You are not allowed to view this page"
Reading documentation I found this line declared in custom Controller
$this->authorize('update', $post);
where 'update' is an ability defined elsewhere, and the $post seems to always be a model (use App\Post) that I don't know how to implement. I don't think that Laravel's documentation covers how to implement models for authorization.
How can I authorize a view? It's Laravel 5.2

Resources