I have used two kind of code which check user is logged in (not guest, registered user) or not.
The following are the two source codes.
(1)
$customer = Mage::getSingleton('customer/session')->getCustomer();
$customerId = Mage::getModel('customer/session')->getCustomerId();
if( !$customer || !$customerId ) {
//user is logout
}
else{
//user is logged-in
}
(2)
if( !Mage::getSingleton('customer/session')->isLoggedIn() )
{
//user is logged-in
}
I want to know both source codes are doing same thing.
Are both codes certainly checking only registered customer is logged-in or not.
Because i want to reject unregistered(guest user) user from accessing next block.
This is the correct method to check whether customer logged-in or not.
if( !Mage::getSingleton('customer/session')->isLoggedIn() )
{
//user is logged-in
}
The above code is magento inbuilt function to check whether customer logged-in or not.
But the below code is used to get logged-in customer id.
$customerId = Mage::getModel('customer/session')->getCustomerId();
If the customer logged-in then it will return the customer id, otherwise return null. So don't use this for check customer logged-in.
Related
I am using laravel framework to develop api’s ,it’s an existing application .there is a requirement if more than 5users registered from 6th user onwards i have to restrict them to use application until they approved by manager or they paid for registration fee then only the user will allow to use the application.
Can anyone give me the idea how to acheive this scenario or suggest me any package in laravel
Solution:
You can add 'status' field in your table. Now when your api is registering a user, you can check the No. of users in the database. If more than or equals to 5, you can set the status to 0. Now show the manager list of user with status 0 and when the status changes you can use the application.
Make sure to add condition where status = 1 when user is getting logged in.
I hope it helps!
Well, you can just put a isApproved column to indicate if the user is already approved or just like the email_verified_at that accepts timestamp as a value then create a middleware where you can check if the user is approved or not. then add a method to the user model to check if the user is approve :
User model
class User extends Authenticatable
{
public function isApproved()
{
// check if the account_approved_at column is not null.
return ! is_null($this->account_approved_at);
}
}
Middleware
class EnsureUserIsApproved
{
public function handle(Request $request, Closure $next)
{
if(! $request->user()->isApproved()) {
// can also use abort(403) instead of redirect
return redirect('route-where-you-want-the-user-to-redirect')
}
return $next($request);
}
}
You can check this for more information about middleware
I have created a few forms in laravel. I want to restrict access to one of them only to a specific user.
I want to create a user and password myself.
This is my routes excerpt. This is the route I want to protect from access
Route::get('/tabledata_id_title', 'KedivimController#appearanceiddata');
This is my controller excerpt:
public function appearanceiddata()
{
//$magic = DB::table('prog_title')->select('pr_id', 'pr_title')->get();
$magic = DB::table('prog_title')->select('pr_id', 'pr_title')-> where('pr_index', '=', 1)->get();
return view ('takealook', ['magical' => $magic]);
}
This is a short fix for your problem.
public function appearanceiddata()
{
if (!Auth::guard('web')->check()) //check if someone is logged in
{
//redirect to login page.
}
else {
/*Check if the logged in user is your desired user.
Maybe try matching the logged in id with your desired id.
If you find that a user is logged in but they are not your desired user
then you may redirect them in some other place or show them a message. */
}
//$magic = DB::table('prog_title')->select('pr_id', 'pr_title')->get();
$magic = DB::table('prog_title')->select('pr_id', 'pr_title')-> where('pr_index', '=', 1)->get();
return view ('takealook', ['magical' => $magic]);
}
However, this practice is ok if you have one or two restricted field. But if you have more than that then you should read about middleware.
I have a web app i'm working on.Users can create patients, which have a unique id. Problem I have is that when another user logs in, he can easily access patients not assigned to him by simply inputing their id in the url. Please how do i solve this? Heres a sample of my route for the
user to view his patient:
Route::get('patients/{patient}/view', 'Portal\PatientController#viewPatient');
and in the Patientcontroller:
public function viewPatient($patient){
$patient = Patient::where('id', $patient)->first();
return view ('portal.patient',compact('patient'));
}
Please what am I doing wrong?
You can use policies for that:
Policies are classes that organize authorization logic around a particular model or resource. For example, if your application is a blog, you may have a Post model and a corresponding PostPolicy to authorize user actions such as creating or updating posts.
Or gates:
Gates are Closures that determine if a user is authorized to perform a given action
I'd use policies, but you also can manually check if a user can view a page with something like:
if (auth()->id() !== $patient) {
return redirect('/')->with('message', 'You can not view this page');
}
You could also keep GET to access to this page without inputing the id. For example, if you want to obtain patients only from the current user logged in :
web.php :
Route::get('patients/view', 'Portal\PatientController#viewPatient');
Patientcontroller :
public function viewPatient(){
$id = auth()->id();
$patient = Patient::where('id', $id)->first();
return view ('portal.patient',compact('patient'));
}
Keep in mind that this will work only with an authenticated user.
If your database table structure is like this
Patients
--------
id //Unique ID of Patient
user_id //User that created
patient
Then you can do the check in controller like.
public function viewPatient($patient)
{
$patient_check = Patient::where('id', $patient)->where('user_id','=',Auth::user()->id)->first();
if($patient_check == null || count($patient_check) == 0)
{
return "You cannot view this patient";
}
else
{
return view ('portal.patient',compact('patient'));
}
}
This is simple and yet does the work.
I am new in ION-Auth, I want to make admin panel unique login form where admin can only login (no other user groups can allows to login here) and one for unique login form for employee group where employee can login only.
Let's say Group A is the Admin.
In the Group A controller, allow everyone to login first so you are able to check in what group that user belonged to.
Right after logging in, check if the user is an admin so he can access the Group A panel. You can check if the current user is admin by call thie is_admin metho
if($this->ion_auth->login($email, $password, $remember))
{
// It means the user has logged in. He has the correct user/pass
// Check if he is an admin
if(!$this->ion_auth->is_admin())
{ // Log out if not
$this->ion_auth->logout();
}
else
{
// Allow the access to the Group A pages
}
}
else
{
// Show the form again
}
I am developing a system whereby a user is a member of a Client account. There are 5 or 6 clients, and each client has a number of users. When a user logs in, the site is styled to the client they are a member of.
I have a function "view_campaign":
function view_campaign($campaignID = FALSE){
$this->load->model('client_model');
$this->load->model('campaign_model');
$data['main_content'] = 'campaign_overview';
$this->load->view('includes/template', $data);
}
So in the URL for example we have .../campaign/view_campaign/21 (for example). This will mean that the user gets to their campaign which has an ID of 21.
But how can I make it so it's secure i.e. users that are members of another client cant view the campaign? They could just change the URL and view campaigns related to other clients...
Thanks
Quite a broad question, I'm not sure what your database structure is but you want to do something like...
When the user first logs in you want to save their user ID and their client ID in a session. Then you want to have a function in your campaign model that gets the client ID a campaign belongs to.
Your view_campaign function would look something like
function view_campaign($campaignID = FALSE) {
$this->load->model('client_model');
$this->load->model('campaign_model');
//Get the user ID and client ID from a session or something
$userId = $this->session->userdata('userId');
$clientId = $this->session->userdata('clientId');
//Call a function in your model to see if the user belongs to the client
$campaignClientId = $this->campaign_model->getClient($campaignID )
//If the client ID the campaign belongs to matches the client ID the user
//belongs to then they can view it
if($campaignClientId === $clientId ) {
$data['main_content'] = 'campaign_overview';
$this->load->view('includes/template', $data);
} else {
//Redirect to another page
}
}