Laravel how to block or secure id in route - laravel

i have custom password reset in my project where user can change his password, now how can i secure the route where the user cannot manipulate the id..does laravel has it in the middleware?
Example:http://localhost:8000/changepassword/1/edit if user attempt to changes the id parameter it will redirect to access denied page.. is this possible?

Yes it is possible
In your controller function, you can check the current/login user id and that id which you are going to get from the URL
Also for admin user you can add one condition that
if(ADMINUSER || LOGIN_USER_ID == URL_ID){
}
But I recommend that add an extra column with the random and unique string use that column instead of Id, In that case your URL will be like this
/changepassword/wcdftgHYuj346DERFD/edit
then you need to get the user on the base of random_string 'wcdftgHYuj346DERFD'

Related

Laravel - Login Fail after adding mutator on User id

I have classic user id table where the primary key is BigIncrement.
I need to hide the id value from user. So my idea is to use hashIds packages.
What I've done to mask the id is by creating mutator on id column:
public function getIdAttribute($id)
{
return Hashids::connection(User::class)->encode($id);
}
The masking working good, but problem happens when I try to login.
Seems the login session is not created.
My questions are:
Why the login is failed after creating id mutator? I assume that to create session it involve the id value
Any better way to mask the id, besides using mutator?

Laravel 5.6 Auth from two different tables

I would like to ask about logging in to Laravel but in a different way:
User information including the password but not the email will be stored in users table, while email_address will be stored in a email_addresses table with a boolean field called is_default.
So the user can have several emails, but he can log in with only one email that has the is_default is true. and he could change his default email through his profile.
So, how can I make the login process through the Auth::login() facade.
I was able to register the user by storing the information in a users table and store his email_address and is_default = true in the email_addresses table.
It can be a little tricky. Auth::login() just needs to fetch email and password, so if you can trick the model into thinking it has an email field accessible via $user->email, things will work out:
public function getEmailAttribute()
{
return DB::table('email_addresses')->whhere('default', 1)->where('user_id', $this->id)->first()->toArray()['email'];
}

Codeigniter remove specific user's session

In Codeigniter, how do I remove specific user's session?
I have set login session like below. And I want to remove specific MemId's LoggedIn(in other words, session for just one user) assuming there are about 1000 users.
$this->session->set_userdata([
'LoggedIn'=>true,'MemId'=>PrimaryKey
]);
When user logged in you are setting two session variables.One is LoggedIn and another 'MemId' which is the primary key of member.So,first retrieve the logged in user member id from database then unset it.Might work properly.
MemId is the member id of user for which you want to remove session.
$this->session->unset_userdata('MemId');

session + devise authentication

i want a authentication ,many people to login with a particular username and password at the same time and it is not good , where User A logs in with username = sammy and password = sammy123, User B cannot login with the same username = sammy and in one session password = sammy123 while I am still logged into an application...,i am using ruby 1.8.7 and devise gem for authentication, rails 2
1.add a column(flag) in table mdl_user store a 'false' value when user create new account .
2.Make a function which accept three value table name,flag field and username(which user enter) .this function return the value of flag field (true or false) .This function call if the user exist in database.
2.1 if 'false' returned then allow to login user and insert value into flag field 'true'.
2.2 if 'true'retuned then do not allow to login and print the message below the username and password field "This user already logged".Do not insert any value in database.
2.3 Now when sign out user then insert into flag field value 'flase'.
3.User allow to login only when flag field value 'false'.
better use this link http://www.gotealeaf.com/blog/how-to-use-devise-in-rails-for-authentication and check the version of devise gem you had used in your application.

Altering breeze query string in the controller before being processed

Scenario: my app runs queries where the user id is used in many cases to filter what data the user can see. The user id is an integer. I don't want the user to be able to simply alter the query string and change the user ID parm to another # (and essentially assume another user's identity). Through our authentication process, each request to the server includes a security token in the header, which was returned to the client when they logged in. During the auth process, this token is stored on the server and is mapped to the user's user id.
What I would like to do is pull the token out of the header, do a lookup and get the user ID that is mapped to the token value (got that working), and then alter the query string to add the user ID.
So a request may come in as
http://localhost/api/app/customerlist
And after I get the user id, it may look like this
http://localhost/api/app/customerlist?$filter=userid%20eq%1234
And then continue on.
This is a simple scenario but illustrates my goal. I am not able to add surrogate keys to the database and use a GUID or some other value as my filter column. Pretty much stuck with the structure.
Thanks
On the server side you can add any filters directly to whatever IQueryable is returned. If you use the Authorize attribute you can also access the user data via the "User" variable.
[BreezeController]
[Authorize]
public class NorthwindIBModelController : ApiController {
[HttpGet]
public IQueryable<Customer> CustomerList() {
var userName = User.Identity.Name;
var filter = filter on customers;
var custs = ContextProvider.Context.Customers.Where({ some filter using userName});
}
}
Also see:
Passing username to Web Api methods in ASP.NET MVC 4
Take a look at the EntityQuery.withParameters method. With it from the client you can take any query and add your user id filter to it. Something like
myQuery = myQuery.withParameters( { userId: 1234});
myEntityManager.executeQuery(myQuery).then(...);
Or am I missing something.

Resources