I need to grant the ability of new user creation to admin only. Intuitively, I've tried to restrict access to the getRegister and postRegister actions (which are located in AuthenticatesAndRegistersUsers trait used in AuthController) using Entrust middleware in the AuthController, but this doesn't seem to have any effect whatsoever - the registration page is still accessible by guest users. Here is the corresponding code:
// AuthController
public function __construct()
{
$this->middleware($this->guestMiddleware(), ['except' => 'logout']);
// CUSTOM MODIFICATIONS
$this->middleware('role:admin', ['only' => ['getRegister', 'postRegister']]);
}
What am I doing wrong?
You need to add middleware in your route like this.
Route::get('register', ['middleware' => 'role:admin','as' => 'register', 'uses' => 'LoginController#getRegister']);
Related
I want to create dynamic prefix name according to logged user role name like for a same route group
if admin is login in admin panel then
url like :
http://localhost:8000/admin/dashboard
And, if dealer is login in admin panel :
http://localhost:8000/dealer/dashboard
my route group is
Route::group(['prefix' => 'admin', 'as' => 'admin.', 'namespace' => 'Admin', 'middleware' => ['auth', 'verified', 'preventBackHistory']], function () {
Route::get('/dashboard', 'HomeController#index')->name('home');
});
Basically My route group is same for admin & dealer
when i want different prefix according to user role when user is successfully login
It is a normal php file, so you may just add
if(...){ // if admin
$prefix = 'admin';
}else{ // if dealer
$prefix = 'dealer';
}
before your routes, and in your routes:
Route::group(['prefix' => $prefix, 'as' => $prefix.'.', 'namespace' => ucwords($prefix), 'middleware' => ['auth', 'verified', 'preventBackHistory']], function () {
Route::get('/dashboard', 'HomeController#index')->name('home');
});
Note: This is making a few assumptions about what you are doing.
You are not going to have access to the information about the current user until after the routes have been registered. The session has not started until after the request has been dispatched to a route and passes through the Middleware stack which will start the session. This is an idea of how to achieve that in a way that makes sense for the order of events.
You should setup the route group with a dynamic prefix:
Route::group(['prefix' => '{roleBased}', 'as' => 'admin.', 'namespace' => 'Admin', 'middleware' => ['auth', 'verified', 'dealWithPrefix', 'preventBackHistory']], function () {
Route::get('/dashboard', 'HomeController#index')->name('home');
});
Then in the RouteServiceProvider you will be adding a constraint for the prefix, parameter roleBased, to only allow it to be admin or client:
public function boot()
{
// restrict the prefix to only be 'admin' or 'dealer'
\Route::pattern('roleBased', 'admin|dealer');
parent::boot();
}
Now you will have to create a middleware to deal with getting the information of the current user to set a default for this prefix so that any URLs you generate to these routes will have this prefix and you don't have to pass a parameter for it. We will also remove the prefix parameter from the route so it does not get passed to your actions:
public function handle($request, $next)
{
$role = $request->user()->role; // hopefully 'admin' | 'client'
// setting the default for this parameter for the current user's role
\URL::defaults([
'roleBased' => $role
]);
// to stop the router from passing this parameter to the actions
$request->route()->forgetParameter('roleBased');
return $next($request);
}
Register this middleware in your kernel as dealWithPrefix. Note in the route group above this middleware was added to the list of middleware.
If you need to generate URLs to any routes in that group, and the current request isn't one of the routes in that group, you will be required to pass a parameter for this prefix when generating the URL:
route('admin.home', ['roleBased' => ...]);
If the request is currently for one of the routes in that group you will not need to add this parameter:
route('admin.home');
Note: This middleware could be applied in a wider way but you would need to know what default you want to use for this parameter if someone wasn't logged in. This is also assuming you may have more than just 1 route in that route group. If it is only that one single route then this can probably be adjusted slightly.
I am trying to code a login function for my api that takes a username and password then give you a password grant token to make api requests. The login route when called gives you
{
"message": "Unauthenticated."
}
I am using passport on laravel to do secure the api. Why am I getting a 401 when the route does not have the auth:api middleware? I tried using a clousure to see if I get could get a response and the closure did not give me an error.
Route::group(['prefix' => '/v1', 'middleware' => ['auth:api'], 'namespace' => 'Api\V1', 'as' => 'api.'], function () {
Route::post('/post/like','PostLikeController#store');
});
Route::group(['prefix' => '/v1', 'namespace' => 'Api\V1', 'as' => 'api.'], function () {
Route::post('login', 'Auth\LoginController#login');
});
Does your login controller have a constructor? sometimes middleware is set in there?
Otherwise I've also had issues with having the middleware routes above the public ones.
Try putting the public routes in the file first and also checking the LoginController.php for a constructor which might be setting a middleware
It possibly due to the same prefixes, as it does not overriding but instead stacking on top of each other.
I suggest for your login route, possibly, you can use this
Route::post('login', 'Auth\LoginController#login')->withoutMiddleware([FooMiddleware::class]);
If it's still does not help try putting your login route above the middlewared route.
I have created an extra middleware admin and I want to protect my routes. Adding one single middleware 'auth' or 'auth:admin' is working.
Route::get('/calendar', function () {
return view('app', ['data' => []);
})->middleware('auth');
But I want that as an admin you can also access the user routes but this is not working. If I try the following, and I log in as an admin I get redirected to the login page all the time.
Route::get('/information', ['middleware' => ['auth', 'auth:admin'], function () {
return view('app', ['data' => ['auth' => Auth::check()]]);
}]);
But if I change ['auth', 'auth:admin'] to ['auth:admin','auth'] it is working for admin but not for user. So it seems that only the first element of my middleware in array is being recognized. Does anybody have any idea why my multiple middlewares are working seperate but not together? Any help is appreciated
If you are trying to allow multiple 'guards' to be checked for a route you can pass multiple guards as parameters to the Authenticate middleware, auth.
auth:web,admin (assuming web is your default guard).
This will try to resolve a user (Authenticatable) from each guard passed in. If any guard returns a user (Authenticatable) you pass through authenticated. If not you are a guest.
If you set the middleware auth and auth:admin those are 2 separate 'middleware' in the stack that are unrelated.
Route::get('/information', ['middleware' => ['auth', 'auth:admin'],function () {
return view('app', ['data' => ['auth' => Auth::check()]]);
}]);
in this code. ['auth', 'auth:admin'] that's mean you need to login default guard and admin guard. if you need only login admin guard, ['auth:admin']
I made the files for authentication using the command
php artisan make:auth
I've read on the internet that register, login, as well as logout should work properly, but localhost:8080/logout doesn't work, and I don't know why.
I also read something about modifying AuthController in app, but I do not have that file.
I tried to do it by hand, which means I created a middleware LogoutRedirect:
public function handle($request, Closure $next)
{
return redirect(pages.logout);
}
In the routes I added
use App\Http\Middleware\LogoutRedirect;
Route::get('logout', function()
{
return view('pages.logout');
})->middleware(LogoutRedirect::class);
And logout.blade.php looks like
{{ Auth::logout() }}
I get the error (when trying to access localhost:8080/logout)
Use of undefined constant pages - assumed 'pages'
What could I do about it?
EDIT
I tried another approach (but with no better results):
renamed the route which redirects to '/' to 'home'
made a LogoutController in app/http/Controllers/Auth
namespace App\Http\Controllers;
use [...]
class LogoutController extends Controller
{
public function logout() {
Auth::logout();
return Redirect::route('home');
}
}
made the route
Route::post('logout', array(
'as' => 'account-sign-out',
'uses' => 'Auth\LogoutController#logout'
));
The error I get is
MethodNotAllowedHttpException in RouteCollection.php line 233:
That's the same error I get when I try to use the default logout defined in auth
You are trying to access the logout page with GET. But this doesn't work because your logout route is a post route.
Change
Route::post('logout', array(
'as' => 'account-sign-out',
'uses' => 'Auth\LogoutController#logout'
));
by
Route::get('logout', [
'as' => 'account-sign-out',
'uses' => 'Auth\LogoutController#logout'
]);
When you go to the /logout route with the method GET(The default when you go to a page) it should work.
I have a working password reset process with the following routes:
Route::group(['middleware' => [], 'namespace' => 'Auth'], function () {
Route::get('/password/reset/{token?}', ['as' => 'site.password.showResetForm', 'uses' => 'PasswordController#showResetForm']);
Route::post('/password/email', ['as' => 'site.password.sendResetLinkEmail', 'uses' => 'PasswordController#postEmail']);
Route::post('/password/reset', ['as' => 'site.password.reset', 'uses' => 'PasswordController#reset']);
});
My problem arises if someone is currently already logged in on the machine. In that case when A user clicks on the link in the email, PasswordController#showResetForm is never executed and the their home page opens in a new tab. Is there a way to force the current user to be logged out so that the password reset can proceed?
Call Auth::logout(); in one of your controllers.
If the showResetForm is never displayed due to user being logged in, you will need to create a temporary page where you call the above function and then redirect to Password Reset page:
public function do_password_reset()
{
Auth::logout();
return redirect()->route('PasswordController#showResetForm');
}
(Remember to add the relevant route for this function.)
Rather than creating additional routes I overwrote the showResetForm function used to route the user to the auth.password.reset view, found in
vendor/laravel/framework/src/Illuminate/Foundation/Auth/ResetsPasswords.php
To do so, within your ResetPasswordController add the following:
public function showResetForm(Request $request, $token = null)
{
$this->guard()->logout();
$request->session()->flush();
$request->session()->regenerate();
return view('auth.passwords.reset')->with(
['token' => $token, 'email' => $request->email]
);
}
All being well that should be the only code you need to add.
As for editing the ResetPasswordController suggested by Lawrence, you might want to remove guest middleware from it's constructor:
$this->middleware('guest');
This middleware redirects authenticated uses to the root page, so it would prevent an already logged in user from logging out.