My roles are dynamic and their User's permission are also dynamic. I have two approaches to validate if the user is authorized to access the particular page.
Approach 1
class BaseController extends Controller
{
public function __construct() {
if(!\Auth::user()->IsPredefined) {
$result = $this->ValidateAuthorization();
if(!$result) {
\Auth::logout();
return redirect()->route("login");
}
}
}
private function ValidateAuthorization() {
$ActionName = \Route::getCurrentRoute()->getPath();
switch ($ActionName) {
case "ChangePassword":
$ModuleID = ModuleEnum::AccountManagemenet;
$ActionID = AccountActionEnum::ChangePassword;
return CheckUsePermissions($ModuleID, $ActionID);
}
}
private function CheckUsePermissions($ModuleID, $ActionID) {
$User = MySession::UserPermissions();
foreach($User->UserRolePermissions as $UserRolePermission) {
$CurrentActionID = $UserRolePermission->RolePermission->Permission->ActionID;
$CurrentModuleID = $UserRolePermission->RolePermission->Permission->ModuleID;
if($CurrentActionID == $ActionID && $CurrentModuleID == $ModuleID &&
$UserRolePermission->IsActive == true) {
return true;
}
}
return false;
}
}
Approach 2
Use Authorize method in Request class
public function authorize()
{
return true;
}
Confusion
If Approach 2 is good, should I create Request class for each Get, Put, Delete and POST?
Is there any better approach to validate authorization?
For Dynamic Roles I do something like this:
Let suppose I have following permissions:
Manage Users
Manage CMS
Manage Hotels
Manage Packages
Manage Roles
Now the Super Admin (who obviously has all the above permissions) can create a role, say, Hotel Manager and assign permission for only Manage Hotels.
Now for a route like:
Route::get('/admin/hotels', 'HotelsController#index')->name('admin.hotels.index');
I will put it in a Route Group with a middleware in it:
Route::group(['prefix' => '/admin/hotels', 'middleware' => ['permission:manage_hotels']], function () {
Route::get('/', 'HotelsController#index')->name('admin.hotels.index');
Route::post('/', 'HotelsController#create')->name('admin.hotels.create');
});
Then I will create a Permission middleware:
class Permission
{
public function handle($request, Closure $next, $permission)
{
//if not super admin (super admin role_id is 1)
if(auth()->user()->role_id != 1) {
//explode extra param passed to this middleware (here manage_hotels)
$permission_array = explode('_', $permission);
foreach ($permission_array as $key => $value) {
$permission_array[$key] = ucfirst($value);
}
$permission_name = implode(' ', $permission_array);
$permitted = auth()->user()->role->permissions()->where('name', $permission_name)->first();
if(! $permitted) {
return redirect()->route('admin.dashboard')->withErrors(['error' => ['message' => 'You are not allowed to perform this action.']]);
}
}
return $next($request);
}
}
Of course you'll need to wrap these routes into Admin Middleware which will ensure that user is logged in and has an admin role.
You should use middleware and use in routes
Route::group(['middleware' => ['auth', 'admin']], function () { });
Or you can use in every controller constructor
public function __construct()
{
$this->middleware('auth');
$this->middleware('admin');
}
Admin middleware like
class AdminAuthenticate
{
/**
* Handle an incoming request.
*
* #param \Illuminate\Http\Request $request
* #param \Closure $next
* #return mixed
*/
public function handle($request, Closure $next)
{
if (Auth::check()) {
if (Auth::user()->IsPredefined) {
$result = $this->ValidateAuthorization();
if(!$result) {
return redirect('/logout');
}
}
}
return $next($request);
}
}
Related
The User model has an isAdmin() function to check if the user is an administrator. What to do next?
The best way is to use default laravel LoginController located under App\Http\Controllers\Auth\LoginController.
In that controller you can override authenticated method that is injected from AuthenticatesUsers trait, by simply adding that method in LoginController:
* #param Request $request
* #param $user
*/
protected function authenticated(Request $request, $user)
{
if ($user->isAdmin()) {
return redirect(route('admin-dashboard'));
//redirect to desired place since user is admin.
}
}
Best practique is whit roles, and you add role on your Routes::middleware,
Route::group(['middleware' => ['auth', 'roles:admin']], function () {
//Your routes
});
Kernel.php
'roles' => Middleware\CheckRole::class,
Create middleware
namespace App\Http\Middleware;
use Closure;
class CheckRole
{
public function handle($request, Closure $next, ...$role)
{
if ($request->user()->hasAnyRole($role)) {
return $next($request);
}
return redirect(route('hour'));
}
}
create function on User model
public function authorizeRole($role)
{
if ($this->hasAnyRole($role)) {
return true;
}
return abort(401, 'Unauthorized.');
}
public function hasAnyRole($roles)
{
if (is_array($roles)) {
foreach ($roles as $role) {
if ($this->hasRole($role)) {
return true;
}
}
} else {
if ($this->hasRole($roles)) {
return true;
}
}
return false;
}
public function hasRole($role)
{
if ($this->role()->where('name', $role)->first()) {
return true;
}
return false;
}
public function role()
{
return $this->belongsTo('App\Role')->withDefault();
}
And Role model
<?php
namespace App;
use Illuminate\Database\Eloquent\Model;
class Role extends Model
{
public function user()
{
return $this->hasMany('App\User');
}
}
Is more code, but best way for this action
I've a User Role column on my User's table.
stands for Super Admin,
stands for other users
I've checked a lot of Laravel Tutorials and none of them has helped me about solving this issue.
I've found ways like replacing the whole Laravel's Login Controller and replacing Authenticate Users trait with ours own. I want to solve my problem with minimal code change. Is it possible?
How do I implement it with minimal code changes in this Trait method?
public function login(Request $request)
{
$this->validateLogin($request);
if (method_exists($this, 'hasTooManyLoginAttempts') &&
$this->hasTooManyLoginAttempts($request)) {
$this->fireLockoutEvent($request);
return $this->sendLockoutResponse($request);
}
if ($this->attemptLogin($request)) {
return $this->sendLoginResponse($request);
}
$this->incrementLoginAttempts($request);
return $this->sendFailedLoginResponse($request);
}
You could do something as supersimple as adding a isSuperAdmin function to the User model. After logging in you just call this function on the user whenever you need to check.
In model User.php
public function isSuperAdmin()
{
return $this->user_role == 1;
}
Then you could also make a middleware that's using this function.
php artisan make:middleware SuperAdmin
In the handle function of this middleware (app/http/middleware/SuperAdmin.php):
public function handle($request, Closure $next)
{
if (Auth::check() && Auth::user()->isSuperAdmin()) {
return $next($request);
}
return redirect('some-route-for-unauthorized-users');
}
Then in your routes (probably web.php), you can use this middleware to protect routes:
Route::group(['middleware' => ['auth', 'superadmin']], function () {
... put protected routes here ...
});
Solution
/**
* Create a new controller instance.
*
* #return void
*/
public function __construct() {
$this->middleware('guest')->except('logout');
}
protected function credentials(Request $request)
{
$credentials = $request->only($this->username(), 'password');
$credentials['role'] = '1';
return $credentials;
}
I need to download the form posted from the supervisor. I can access the page but not the form since I can't download it. It's giving me the ERR_INVALID_RESPONSE error, but the supervisor can download it easily.
Could it be something wrong with the middleware? I struggled a lot but still can't download, please if anyone might know the problem please help me.
Controller
class DutiesController extends Controller
{
public function assignSupervisor(Request $request, $id)
{
$assignS = new Duty;
$assignS->student_id = $id;
$assignS->user_id = $request->supervisor_id;
$assignS->student_name = $request->student_name;
$assignS->save();
return back();
}
public function assignInstructor(Request $request, $id)
{
$assignS = Duty::where('student_id', $id)->first();
$assignS->admin_id = $request->instructor_id;
$assignS->save();
return back();
}
public function duties($id)
{
$duty = Duty::where('student_id', $id)->orWhere('user_id', $id)->orWhere('admin_id', $id)->first();
return view('Duty.show', compact('duty'));
}
public function assign(Request $request, $id)
{
$assign = Duty::findOrfail($id);
if ($request->hasFile('duty')) {
$this->validate($request, [
'duty' => 'required|file|mimes:pdf,doc'
]);
$fileNameWithExt = $request->file('duty')->getClientOriginalName();
$fileName = pathinfo($fileNameWithExt, PATHINFO_FILENAME);
$extension = $request->file('duty')->getClientOriginalExtension();
$fileNameToStore = $fileName.'_'.time().'.'.$extension;
$path = $request->file('duty')->storeAs('public/duty', $fileNameToStore);
$assign->duty = $fileNameToStore;
}
$assign->marks = $request->marks;
$assign->save();
return back();
}
public function getduty($id) // my download function
{
$download = Duty::findOrfail($id);
return Storage::download("/public/duty/".$download->duty);
}
public function assignSupervisorInstructor()
{
$users = User::with('campus')->where('role_id', 4)->get();
$supervisors = User::with('campus')->where('role_id', 2)->get();
$instructors = Admin::where('role_id', 3)->get();
return view('Assigning.index', compact('users', 'supervisors', 'instructors'));
}
}
Routes
Route::group(['middleware' => 'auth:web,admin'], function () {
//Now this routes can be accessible by both admin as well as
Route::get('/duties/downloads/{id}', 'DutiesController#getduty');
Route::post('/duties/assign/{id}', 'DutiesController#assign');
Route::get('/duties/myduties/{id}', 'DutiesController#duties');
Route::get('/duties/mydutty/{id}', 'DuttyController#duties');
Route::post('/duties/{id}', 'DutiesController#assignSupervisor');
Route::get('/assign', 'DutiesController#assignSupervisorInstructor');
Route::post('/duties/inst/{id}', 'DutiesController#assignInstructor');
});
Blade
<td>
<a href="/duties/downloads/{{$duty->id}}">
<button class="btn btn-success"><i class="fa fa-download"></i> Dowload Document</button>
</a>
</td>
I hope this is what you mean but this is how I differentiate between user types via Middleware.
Basically creating custom middleware (I guess you can also do it via the built in functionality but I prefer this), for example:
1) The MiddleWare:
app/Http/Middleware/CheckUserType.php:
namespace App\Http\Middleware;
use Auth;
use Closure;
use App\Usergroup;
class CheckUserType
{
/**
* This middleware checks if the user is logged in as a specific type
*
* #var array
*/
public function handle($request, Closure $next, ...$userGroups)
{
if (in_array(UserGroup::where('id', Auth::user()->groupid)->first()->title, $userGroups)) {
return $next($request);
} else {
return response('Unauthorized...', 401);
}
}
}
In my case I have a usergroups table that links to the user->groupid so I use that Model to cross-reference the id to the group title I give in in my router.
But you can modify this obviously.
Also note that I do ...$userGroups so I can iterate over multiple user types if I want to in the router (see below).
2) Register in your kernel:
Then register in app/Http/Kernel.php:
add to the protected $routeMiddleware:
checkUserType' => CheckUserType::class
Make sure to include you custom middleware (use App\Http\Middleware\CheckUserType;)
3) Routes:
So then at last in my router I have for example the following:
/**
* #section Routes that require the user to be a Manager or an Administrator
*/
Route::group(['middleware' => 'checkUserType:Managers,Administrators'], function () {
//
});
or:
/**
* #section Routes that require the user to be an Administrator
*/
Route::group(['middleware' => 'check.usertype:Administrators'], function () {
// User Routes
Route::delete('/users/delete/{id}', 'UserController#deleteUser');
});
I'am using Sentinel package, for example I've created middleware PCMiddleware
public function handle($request, Closure $next)
{
$roles = array_slice(func_get_args(), 2);
foreach ($roles as $role) {
if(Sentinel::check() && Sentinel::getUser()->inRole($role)){
return $next($request);
} else {
return redirect()->route('admin.errors');
}
}
}
Route:
$route->get('dashboard', ['as' => 'dashboard', 'uses' => 'AdminController#dashboard'])->middleware('role_check:member,hrd,super-admin');
and I've created user too with role hrd, which is any user with hrd role can access dashboard but when I loggedin endup with 404 how can I be able to access /dashboard even though I only have hrd role ?
maybe like this if user has any of these 3 role then he can access the route,
In Laravel already there is a way of transferring parameters for the middlewares. You can read about it here
public function handle($request, Closure $next)
{
$roles = array_slice(func_get_args(), 2);
$status = false;
foreach ($roles as $role) {
if(Sentinel::check() && Sentinel::getUser()->inRole($role)){
$status = true;
break;
}
}
if ($status) {
return $next($request);
}
return redirect()->route('admin.errors');
}
In this example, your code will work if at least one of the passed parameters exists
I have a question about filtering a controller and its actions for multiple user roles. Lets say i have a controller named MyController :
public class MyController extends \BaseController
{
public static function index()
{
}
public static function show()
{
}
public static function create()
{
}
public static function store()
{
}
public static function other()
{
}
}
And i have 2 filters for each roles, named admin and staff :
Route::filter('admin', function()
{
// Lines of code to get role
if($role != 'admin') return View::make('errors.401');
});
Route::filter('staff', function()
{
// Lines of code to get role
if($role != 'staff') return View::make('errors.401');
});
Then, i'm trying to use beforeFilter on the constructor of MyController :
public function __construct()
{
$this->beforeFilter('admin', ['only' => ['index', 'show', 'create', 'store']]);
$this->beforeFilter('staff', ['only' => ['index', 'show']]);
}
When I added the first beforeFilter, it works as I expected (when I logged in to my application as staff, I cannot access the index, show, create, and store methods). But when I added the second filter and logged in as staff again, I cannot access the index and show actions, which is I expected to be accessible by staff.
My questions are, is it possible to define filters for multiple roles in the constructor of a controller? (In this case, I want to make action index and show accessible by admin and staff, but create and store only accessible by admin) And if it is possible, how could I achieve that?
Thanks.
First you should make a controller that should handle access control ... as below
Acl Controller
class ACLController extends \BaseController {
/**
* admin access control list
* #return array
*/
private function adminACL() {
return array(
'users' => array(
'users',
'users.show',
//similar access list for admin users
),
);
}
/**
* staff access control list
* #return array
*/
private function staffACL() {
return array(
'staff' => array(
'staff',
'staff.index',
//similar access list for staff user
),
);
}
//Method that check access of related user
/**
* check access level
* #param string $value
* #return boolean
*/
public function hasAccessLevel($value) {
$user = //get user role here
if ($user->roles == 'staff') {
return TRUE;
} elseif ($user->roles == 'admin') {
$newAcl = array();
foreach ($this->adminACL() as $aclBreak) {
foreach ($aclBreak as $acl) {
$newAcl[] = $acl;
}
}
if (!in_array($value, $newAcl)) {
return FALSE;
} else {
return TRUE;
}
} else {
$newAcl = array();
foreach ($this->staffACL() as $aclBreak) {
foreach ($aclBreak as $acl) {
$newAcl[] = $acl;
}
}
if (!in_array($value, $newAcl)) {
return FALSE;
} else {
return TRUE;
}
}
}
}
Filter the access route...
Route::filter('hasAccess',function($route,$request,$value){
try{
$Routeacl = new App\Controllers\ACLController();
if(!$acl->hasAccessLevel($value))
{
return Redirect::to('admin/dashboard')->withErrors(array(Lang::get('en.user_noaccess')));
}
}catch(\Exception $e){
echo $e->getMessage();
}
});
And then in your route just check if it has access
Route::get('/', array('as' => 'index', 'before' => 'hasAccess:index', 'uses' => 'MyController#Index'));
Happy coding :)
I assume you have Admin can access all feature, and staff can access everything except "show"
This is the controller
class MyController extends \BaseController
{
public function __construct(){
$this->beforeFilter('admin', ['only' => ['show']]);
}
public function index()
{
echo "index";
}
public function show()
{
echo "show";
}
}
See in your last post, you are using public class, I believe in PHP you will just need class, in function better don't use static.
Here is the filters.php
Route::filter('admin', function()
{
// Lines of code to get role
if($role != 'admin') return "This is only for admin";
});
In the routes.php
Route::get("/my", "MyController#index");
Route::get("/show", "MyController#show");
Then try to login as admin, you will can access "index" and "show"
Then try to login as staff, you will can access "index" but cannot access "show"
Is an admin always a staff member? If so - you could just do this:
Route::filter('staff', function()
{
// Lines of code to get role
if(($role != 'staff') && ($role != 'admin'))return View::make('errors.401');
});