There is a table users in my website and a user is allowed to update a user if it is admin or it is his/her account. I can put this rule inside a middleware and impose it on the route but I want to create separate middlewares and OR among them. Can I do that?
The following code
Route::group(['middleware' => ['admin','Owner']],
function () {
Route::resource('roles', 'RoleController');
Route::resource('locations', 'LocationController');
Route::resource('recipients', 'RecipientController');
Route::resource('classifications', 'ClassificationController');
});
has AND behavior. I think it is possible to do this using some if ... else ... statement inside the web.php or the UserController but I need to know if there is any other way out.
Thanks in advance
update
Here is Owner middleware
class OwnerMiddleware
{
/**
* Handle an incoming request.
*
* #param \Illuminate\Http\Request $request
* #param \Closure $next
* #return mixed
*/
public function handle($request, Closure $next, $id)
{
if(Auth::guest())
return abort(403, 'Access Denied');
if(Auth::user()->id != $id)
return abort(403, 'Access Denied');
return $next($request);
}
}
Then I pass the $id parameter to it.
There really isn't an "OR" for middleware. It either acts or passes. You have to expand the current middleware to check ownership or permission to edit.
However, I'd recommend using a policy with middleware to resolve this:
See: https://laravel.com/docs/master/authorization#via-middleware
Related
I have created a Middleware to check if users with google2fa_enabled = 1 have a google2fa_secret and when they don't, they need to create one.
In the Middleware, I have defined the handle function with an if-statement and when true, it redirects the user to /2fa/create. It didn't work, so I made the if-statement like if(true), but the user is not being redirected. When I replace the return statement after that with return redirect('/2fa/create'), it does redirect, so the middleware is used (also confirmed with the Laravel debugbar)
The Middleware itself:
<?php
namespace App\Http\Middleware;
use Closure;
use Illuminate\Support\Facades\Auth;
class checkTwoFactor
{
/**
* Handle an incoming request.
*
* #param \Illuminate\Http\Request $request
* #param \Closure $next
* #return mixed
*/
public function handle($request, Closure $next)
{
if(true){
redirect('/2fa/create');
}
return $next($request);
}
}
And the routes:
Route::get('/', function () {
return view('layouts/master');
})->middleware(['auth', 'check2fa']);
I expect the user to be redirected to /2fa/create at all times (and later on, if user is logged in, has google2fa_enabled = 1 & google2fa_secret == "")
Oops, I found the mistake already.
I need a return statement in that if-statement to work, so redirect() had to be return redirect()
Laravel 5
How to give user access to specific route when certain conditions are met?
For example let user access
Route::get(view('posts/{id}'),'PostsController#show');
when user has over 100 points in his user->points column.
You can use Middleware for this,In Laravel it is very easy to secure your routes by creating your own middlewares.
The following steps are required to do this:
run command php artisan make:middleware Middlewarename and you'll find your middleware inside app/Http/Middleware/yourcustomemiddleware.php
Register your middleware in app/Http/kernel.php file which you just created
Now implement logic in middleware you just created:
YourMiddlewareClassCode:
/**
* Handle an incoming request.
*
* #param \Illuminate\Http\Request $request
* #param \Closure $next
* #return mixed
*/
public function handle($request, Closure $next)
{
if (Auth::user()->points >= 100)
{
return $next($request);
}
return redirect()->back()->with('flash_message','you are not allowed to access this');
}
Attach middleware to your route:
routes/web.php:
Route::get(view('posts/{id}'),'PostsController#show')->middleware('yourcustommiddleware');
All done now your route is secured.
Summary: this statement return $next($request); in middleware will return the route when condition is matched else it will redirect to the previous route.
Note: I don't know your db structure and also this is just an example to show you that what is middleware and how it works and how you can use it.
I want to update the user table field on each request if the user is authorized. I have not encountered such a task before. I tried to write on the AppServiceProvider.php file:
public function boot()
{
if(Auth::id()) {
$user = User::find(Auth::id());
$user->updated_at = Carbon::now()->setTimezone("America/Los_Angeles");
$user->save();
}
}
But in this case I could not take access to the authorized user.
Can I get access to the service provider to an authorized user?
Or solve this problem with creating middleware?
Note: I am doing this task to find out the time of the user's last activity.
Is the solution found right? Is there a load on the server?
by creating a new middleware try this one
php artisan make:middleware UserActivityUpdateMiddleware
UserActivityUpdateMiddleware
<?php
namespace App\Http\Middleware;
use Closure;
class UserActivityUpdateMiddleware
{
/**
* Handle an incoming request.
*
* #param \Illuminate\Http\Request $request
* #param \Closure $next
* #return mixed
*/
public function handle($request, Closure $next)
{
if(Auth::User()) {
$user = User::find(Auth::user()->id);
$user->updated_at = Carbon::now()->setTimezone("America/Los_Angeles");
$user->save();
}
return $next($request);
}
}
I have problem that using multiple parameters in my Route::middleware isn't working for me. I am trying to assign a specific route only accessible for a superuser and admin role.
When I just use:
role:superuser
it works fine, but when I add a second parameter like:
role:superuser,admin
it fails when I assign myself the admin role but still works for the superuser role.
I am confused so any help would be appreciated!
Here is my RoleMiddleware:
namespace App\Http\Middleware;
use Closure;
class RoleMiddleware
{
/**
* Handle an incoming request.
*
* #param \Illuminate\Http\Request $request
* #param \Closure $next
* #param string $roles
* #return mixed
*/
public function handle($request, Closure $next, ...$roles)
{
$user = $request->user();
if ($user && $user->isSuperuser($roles)) {
return $next($request);
}
return redirect('/home')->withError('U heeft niet de juiste rechten!');
}
}
Here is my isSuperuser method in my User model:
public function isSuperuser(...$roles)
{
if ($roles) {
return $this->roles == $roles;
}
return $this->roles;
}
Last but not least my routes/web code for the middleware:
Route::get('/users', 'UsersController#index')->middleware(['role:superuser,admin']);
Btw: the method is called 'isSuperuser' but that's just a name. It also has to accept the admin role at some point.
use | instead of , like this:
Route::get('/users', 'UsersController#index')->middleware(['role:superuser|admin']);
I'm quite new to Laravel and have been stumped on a problem for 2 days - I'd be grateful for some guidance.
I'm using the default out-of-the-box User authentication system with Laravel 5.3. A new user is created automatically behind the scenes by an existing Admin user - I will in time hide the user registration page. I have also successfully set up middleware to check if a user is newly registered (by looking for a null 'last_logged_in_date' that I've added to the migration).
All I want to happen is for a new registered user to be redirected to the password reset screen that ships with Laravel (again, in time I will create a dedicated page). I would like this to happen within the middleware file. So far, my middleware looks like this:
<?php
namespace App\Http\Middleware;
use Closure;
use App\Http\Controllers\Auth;
class CheckIfNewUser
{
/**
* Handle an incoming request.
*
* #param \Illuminate\Http\Request $request
* #param \Closure $next
* #return mixed
*/
public function handle($request, Closure $next)
{
$user = $request->user();
if (! is_null($user->last_logged_in_date )) {
return $next($request);
}
// This is where I'm stuck!!!
}
}
I'm not sure what code to enter at the location indicated by the comments above. I've tried sendResetLinkEmail($request); etc and have imported what I though were the correct classes but I always end up with a Call to undefined function App\Http\Middleware\sendResetLinkEmail() message irregardless of what I 'use' at the top of my class.
Where am I going wrong? Thanks!
Well that happens because you have not defined your sendResetLinkEmail($request) function yet. You can do it like this, or you can create a new class with that and then call the class.
Call the trait SendsPasswordResetEmails and then access it with $this since traits are not classes and you cannot access their members directly.
<?php
namespace App\Http\Middleware;
use Closure;
use App\Http\Controllers\Auth;
use Illuminate\Foundation\Auth\SendsPasswordResetEmails;
class CheckIfNewUser
{
use SendsPasswordResetEmails;
/**
* Handle an incoming request.
*
* #param \Illuminate\Http\Request $request
* #param \Closure $next
* #return mixed
*/
public function handle($request, Closure $next)
{
$user = $request->user();
if (! is_null($user->last_logged_in_date )) {
return $next($request);
}
// This is where I'm stuck!!!
//EDIT
//return $this->SendsPasswordResetEmails->sendResetLinkEmail($request);
return $this->sendResetLinkEmail($request);
}
}