Laravel 5 - Kodeine ACL using custom resource method inside route protection - laravel

I'm a newbie to Laravel. I am using Kodeine ACL management for Laravel 5. Generated resourceful controllers and routes. I also added custom method for resourceful controller named "profile"
I am not able to apply ACL if I include custom method if I do this:
Route::get('users/profile', UsersController#profile);
Route::group(['middleware' => ['auth', 'acl'],
'is' => 'worker',
'protect_alias' => 'worker.user',
'protect_methods' => [
'create' => ['create', 'store'],
'store' => ['create', 'store'],
'read' => ['index', 'show'],
'view' => ['index', 'show'],
'edit' => ['edit', 'update', 'profile'],
'update' => ['edit', 'update', 'profile'],
'delete' => ['destroy'],
]
],
function () {
Route::resource('users', 'UsersController');
});
The above code does not applying the ACL to profile method
But if I comment line #1, it applies the ACL, but it is not directing to the profile method [ie $next($request)] doesn't seem to work
Please advise if I am wrong and how to achieve this.
Thanks!

Related

how group apiResource route and other routes together?

I am using apiResource and other routes. I grouped them like below:
Route::group(['prefix' => 'posts'], function () {
Route::group(['prefix' => '/{post}'], function () {
Route::put('lablabla', [PostController::class, 'lablabla']);
});
Route::apiResource('/', PostController::class, [
'names' => [
'store' => 'create_post',
'update' => 'edit_post',
]
]);
});
all apiResource routes except index and store do not work! How should I group routes?
Your syntax for routing is wrong,
Notes
You will provide a uri for the apiResource (plural)
eg. Route::apiResource('posts', PostController::class);
Your name of resource route is wrong
Get this out https://laravel.com/docs/8.x/controllers#restful-naming-resource-routes
it should be
Route::apiResource('posts', PostController::class)->names([
'store' => 'create_post',
'update' => 'edit_post',
]);
No need of repeating Route::group, you can just write your routes like this
Route::prefix('posts')->group(function () {
Route::put('lablabla', [PostController::class, 'lablabla']);
});
Route::apiResource('posts', PostController::class)->names([
'store' => 'create_post',
'update' => 'edit_post',
]);
Your syntax is incorrect, there is a names method. See the documentation here https://laravel.com/docs/8.x/controllers#restful-naming-resource-routes.

how to stop execution of ctp file in cakephp 2.x after validating the url

In my CakePHP application, I have applied Url validations so that admin can access only those actions which are defined for admin and same as with users.
In my application, "surveylist" is the action of admin and when any user directly access that action(surveylist), URL validations work(Unauthorized access msg is displayed).
But below that message ctp file of surveylist executes forcefully and show errors because I have validated URL through the try-catch block and it cannot get the set variables of action.
I want that ctp file should not execute if unauthorize error comes.
My code for surveylist is:-
public function surveylist($pg=null){
try{
if($this->checkPageAccess($this->params['controller'] . '/' . $this->params['action'])){
$this->Paginator->settings = array(
'Survey' => array(
'limit' => 5,
'order' => 'created desc',
'conditions'=>array('is_deleted'=> 0),
'page' => $pg
)
);
$numbers = $this->Paginator->paginate('Survey');
$this->set(compact('numbers'));
}else{
$this->Flash->set(__('Unauthorised access'));
}
}catch(Exception $e){
$this->Flash->set(__($e->getMessage()));
}
}
I don't want the ctp file of surveylist to execute if control comes to else.
Plz, help me out......
Thanx in advance...
I suppose you are using prefix to separate admin and users, if not please do that it is great way to handle and restrict methods.
After doing that you have to make condition to check which prefix(admin, user) is currently active and according that load Auth component and allow action in allow() method of Auth.
Example:
$this->loadComponent('Auth',[
/*'authorize' => [
'Acl.Actions' => ['actionPath' => 'controllers/']
],*/
'loginRedirect' => [
'controller' => 'Users',
'action' => 'index'
],
'authenticate' => [
'Form' => [
'fields' => [
'username' => 'email',
'password' => 'password'
]
]
],
'loginAction' => [
'controller' => 'Users',
'action' => 'login'
],
'unauthorizedRedirect' => [
'controller' => 'Users',
'action' => 'login',
'prefix' => false
],
'authError' => 'You are not authorized to access that location.',
]);
if ($this->request->params['prefix']=='admin') {
// Put actions you want to access to admin in allow method's array
$this->Auth->allow(array('add', 'edit', etc...));
} else if ($this->request->params['prefix']=='user') {
// Put actions you want to access to user in allow method's array
$this->Auth->allow(array('login', 'view', etc...));
}
This way you can restrict actions for particular role.
Hope this helps!

Custom naming in router resources

i have in my controller
public function details($id)
{
$claim = Claim::findOrFail($id);
$details = $claim->details;
return response()->json([], 200);
}
and I have in my routes
Route::resource('claims', 'Admin\\ClaimsController',['names'=> ['details'=>'admin.claims.details'], 'only' => ['index','store','update','destroy','details']]);
when I run php artisan route:list i do not see the admin.claims.details( admin/claims/1/details) in the list
the documentation is pretty vague here so I'm asking how to properly set a custom route? How do I specify if its "POST" or "GET"?
To override the default resource controller actions' route names, you can pass a names array with your options.
For example:
Route::resource('claims', 'ControllerClassName', [
'names' => [
'index' => 'admin.claims.details',
'create' => 'admin.claims.create',
// etc...
],
'only' => [
'index','store','update','destroy','details'
]
]);
REF: https://laravel.com/docs/5.2/controllers#restful-naming-resource-routes
Here are examples of setting custom named get/post routes.
GET Route
Route::get('claims', ['as' => 'admin.claims.details', uses => 'ControllerClassName']);
POST Route
Route::post('claims', ['as' => 'admin.claims.details', uses => 'ControllerClassName']);
REF: https://laravel.com/docs/5.2/routing#named-routes

Add auth to some methods of API resource routes

I need to restrict access to the index resource so that people cant view all the submissions from a contact form.. is this possible to do via a route or what are people doing ?
Im using Laravel 5.2
Route::group(['prefix' => 'v1/api', 'middleware' => ['cors']], function(){
Route::resource('contact', 'ContactFormController', ['except' => [
'create', 'edit'
]]);
});
got it.. added this to the controller in question
function __construct() {
$this->middleware('auth', array('only' => array('index', 'show')));
}

Laravel Route::controller with additional parameters

I'm trying to figure out whether there is a way of adding url parameters to the Route::controller call.
What I have at the moment for my control panel is:
Route::group(
[
'prefix' => 'admin',
'namespace' => 'Admin'
],
function() {
Route::group(
[
'prefix' => '',
'before' => 'auth.admin'
],
function() {
Route::controller('page', 'PageController');
Route::controller('article', 'ArticleController');
}
);
Route::controller('/', 'LoginController');
}
);
Now - each of the controllers will have the post / getEdit actions, which will require the url id parameter to be passed over in the simple format of /admin/page/edit/{id}.
My question is - is there a way to perhaps add some parameters to the Route::controller method or do I have to do them all using Route::get / Route::post approach?
I know I can do it by adding two extra cases with get and post above the given controller call:
Route::group(
[
'prefix' => 'admin',
'namespace' => 'Admin'
],
function() {
Route::group(
[
'prefix' => '',
'before' => 'auth.admin'
],
function() {
Route::get('page/edit/{id}', 'PageController#getEdit');
Route::post('page/edit/{id}', 'PageController#postEdit');
Route::controller('page', 'PageController');
Route::controller('article', 'ArticleController');
}
);
Route::controller('/', 'LoginController');
}
);
but perhaps there's a better approach?
You can use Route::resource:
Route::resource('resource', 'ResourceController');
This will register the following routes:
GET /resource index resource.index
GET /resource/create create resource.create
POST /resource store resource.store
GET /resource/{resource} show resource.show
GET /resource/{resource}/edit edit resource.edit
PUT/PATCH /resource/{resource} update resource.update
DELETE /resource/{resource} destroy resource.destroy
You can use it together with only or except to choose what routes to be included (or excluded):
Route::resource('resource', 'ResourceController', ['only' => ['index', 'show', 'update', 'destroy']]);
Read more about restful resource controllers in the Laravel documentation.
This post might also be interesting: Laravel 4 - Route::resource vs Route::controller. Which to use?

Resources