So I have the route lsapp.test/firms/1 which isn't available if you are not logged in.
But if I go to that route without being logged in is redirecting me to the login.After I log in it redirects me back to lsapp.test/firms/1, not the dashboard, and I get an error.
I've changed $redirectTo in the controllers to /dashboard but still isn't working.
If I go to /login and login it works.
How I can fix this?
public function __construct()
{
$this->middleware('auth');
}
public function show($id)
{
$employes = Firm::find($id)->employes()->paginate(5);
return view('firms.show')->with("employes", $employes);
}
Error: Call to a member function employes() on null.
The findOrFail methods will retrieve the first result of the query; however, if no result is found, a Illuminate\Database\Eloquent\ModelNotFoundException will be thrown.
If the exception is not caught, a 404 HTTP response is automatically sent back to the user. It is not necessary to write explicit checks to return 404 responses when using these methods.
public function show($id)
{
$employes = Firm::findOrFail($id)->employes()->paginate(5);
return view('firms.show')->with("employes", $employes);
}
Related
Do I get a 422 HTTP code even though I am logged in?
From my blade I send an XHR post request. In the route I use the auth middleware. This works. This means you have to be logged in to send the post.
web.php
Route::post('/posts', [PostController::class, 'store'])->middleware(['web', 'auth'])->name('posts.store');
Now I created my own request class to validate the sent data.
PostStoreRequest authorise method
public function authorize()
{
return false;
}
Since I use my own custom request class I get this error message even though I am logged in:
This action is unauthorized.", exception: "Symfony\\Component\\\HttpKernel\\Exception\\AccessDeniedHttpException
I wonder why this is?
You have to check in the authorize() method if the user is authorised for this action. If you have a role system right you can implement this here. For example, only users with the Writer role are allowed to create a post. If you don't have that and you just allow everyone who is logged in, then change the return to true or return auth()->check().
Example without role system:
public function authorize()
{
return true;
// or
return auth()->check();
}
With role System:
public function authorize()
{
return auth()->user()?->isWriter();
}
Important Note: Thank to #matiaslauriti && #Tpojka for the right advice / good review.
Googled and tried for hours now, i need help. Laravel 9.x here.
I use ajax calls which are handled by controllers.
Before the controller handles them, i need to check if the user has indeed access to the administration the user is requesting data for.
The problem is the return false in the middleware class. How can i return a response to the browser without executing any method inside the requested controller class?
The middleware i'm using:
namespace App\Http\Middleware;
use Closure;
class CheckUserAccessToAdministration {
public function handle($request, Closure $next)
{
// Check if the user has access rights to the requested administration
$allowedAdministrations = $request->session()->get('allowed_administrations');
$administration = $request->adm;
if(!in_array($administration, $allowedAdministrations)){
// the idea is that i stop execution of the call, not execute controller method
and just return a message to the browser. i use return false atm, but that isn't right,
i think.
return false;
}
return $next($request);
} }
I'm using Laravel Policy and checking for permissions created using Spatie's Laravel-Permissions package.
For an API call with client credentials, the authorizeResource() in the Controller constructor returns 403. If this is removed, it returns the expected results.
NpoPolicy.php
public function view(User $user, Npo $npo)
{
return $user->can('npo.view');
}
NpoController.php
public function __construct()
{
$this->authorizeResource(Npo::class);
}
api.php
Route::middleware('client')->resource('/npo', 'NpoController');
API Request
URL: https://my-app.dev/api/npo/1
Method: GET
When I comment out the authorizeResource method in the controller constructor, I get the result as expected:
{
"npos": {
"id":1,
"name":"Bailey and Sons",
"contact_person_name":"Mr. Davion Mayert",
"created_at":"2019-06-13 17:39:25",
"updated_at":"2019-06-13 17:39:25"
}
}
I'm aware that a Laravel policy requires a User model object and that is why the policy is returning 403 response in my case. Is there a general practice to handle API requests (with client credentials) in these cases?
You have missed the second parameter at authorizeResource function so, at the NpoController.php change the authorizeResource to:
$this->authorizeResource(Npo::class, 'npo');
I'm trying specify which functions are able to each user but the problem is when I pass more than one authenticated user to middleware in my controller.
Here are my controller. I'm trying allow just one method for the users but at that piece of code, the second line don't work out. Just show a response for not authorized (401).
public function __construct()
{
$this->middleware('auth:admin');
$this->middleware('auth:web')->only('listAll');
}
Someone have some idea how to solve it ?
I tried use:
public function __construct()
{
$this->middleware('auth:admin')->except('listAll');
$this->middleware('auth:web')->only('listAll');
}
Works but it means that will be allowed for all users...
My CI website has csrf protection.
$config['csrf_protection'] = TRUE;
So, when I resubmit form by refresh I am getting the following error.
The action you have requested is not allowed
Instead of showing this message, I want it to return to last page.
So, I try to override csrf_show_error() method by extending the CI_Security file.
This is my class located in application/core/My_Security.php
class MY_Security extends CI_Security {
public function __construct()
{
parent::__construct();
$this->load->library('user_agent');
}
public function csrf_show_error()
{
// show_error('The action you have requested is not allowed.'); // default code
// force page "refresh" - redirect back to itself
// a page refresh restores the CSRF cookie
if ($this->agent->is_referral())
{
redirect(site_url());
} else {
redirect($_SERVER['HTTP_REFERER']);
}
}
}
I am getting the following error
Call to a member function library() on a non-object
Insted of changing the core classes, I extended the MY_Securtiy class in core folder of application. and redirecting to past page.
File Location: application\core\MY_Security.php
class MY_Security extends CI_Security {
public function __construct()
{
parent::__construct();
}
public function csrf_show_error()
{
header('Location: ' . htmlspecialchars($_SERVER['REQUEST_URI']), TRUE, 200);
}
}
Thanks for your solution, but it seems better with a return code 302 by changing the request type of the new request to GET, regardless of the type employed in the original request (e.g. POST). The next refresh will not ask any question.