How add filter, when I logged in, and I enter user/login or user/register on url, I want to redirect to home.
and when I logged out, and I want to protect user/panel
Laravel has filters options the official website states the following for the filters
Route filters provide a convenient way of limiting access to a given route, which is useful for creating areas of your site which require authentication. There are several filters included in the Laravel framework, including an auth filter, an auth.basic filter, a guest filter, and a csrf filter. These are located in the app/filters.php file.
Defining a route filter
Route::filter('old', function()
{
if (Input::get('age') < 200)
{
return Redirect::to('home');
}
});
If the filter returns a response, that response is considered the
response to the request and the route will not execute. Any after
filters on the route are also cancelled.
Attaching a filter to the route
Route::get('user', array('before' => 'old', function()
{
return 'You are over 200 years old!';
}));
You can find complete documentation here
Route.php
Route::group(array('prefix'=>'user','before' => 'isUser'), function () {
Route::get('register', array('as' => 'register', 'uses' => 'UsersController#create'));
Route::get('login', array('as' => 'login', 'uses' => 'UsersController#login'));
// add post routes as required
});
filters.php
Route::filter('isUser', function ()
{
// I have used Sentry for user Authorisation
if (Sentry::check()) {
return Redirect::to('/')->with('message', "You are already logged in.");
}
else{
// benefit of using Redirect::guest() is that you can use Redirect::intended()
return Redirect::guest('login');
}
});
Related
I've been trying to make a conditional based on authentication, even though, my browser tells me this: The page isn’t redirecting properly which lets me know something of course is wrong.
Here are my routes:
$router->group(['middleware' => 'auth'], function() { // If the user is logged in
Route::get('/', 'IndexController#dashboard');
});
$router->group(['middleware' => 'guest'], function() { // If the user is not logged in
Route::get('/', 'IndexController#index');
});
I have the following code in my routes/web.php
Route::namespace('Admin')->middleware(['admin'])->group(function() {
Route::get('/posts', 'PostController#index');
});
Route::namespace('User')->middleware(['user'])->group(function() {
Route::get('/posts', 'PostController#index');
});
I wish to use the same uri "/posts" in both cases and keep the role logic (admin, user) out of the controllers, however, in this case, when I request the route "/posts" in always responds with the last one.
I can't seem to find information of what I am missing here.
use prefix for different route for admin and user
/admin/posts
Route::group(['namespace' => 'Admin','middleware=>'admin','prefix' => 'admin'],function() {
Route::get('/posts', 'PostController#index');
});
/user/posts
Route::group(['namespace' => 'User','middleware=>'user','prefix' => 'user'],function() {
Route::get('/posts', 'PostController#index');
});
You may try this one
Route::group(['prefix'=>'admin','middleware'=>'admin'],function (){
Route::get('/posts',['uses'=>' PostController#posts','as'=>'posts.index']);
});
Route::group(['prefix'=>'user','middleware'=>'user'],function (){
Route::get('/index',['uses'=>' PostController#posts','as'=>'posts.index']);
});
I have a Laravel application. In the routes file, I have
Route::group(['prefix' => 'user'], function () {
Route::group(['middleware' => ['auth', 'roles'], 'roles' => ['buyer']], function() {
Route::get('dashboard/buyer', ['as' => 'buyer_dashboard', 'uses' => 'User\Buyer\DashboardController#index']);
});
Route::group(['middleware' => ['auth', 'roles'], 'roles' => ['seller']], function() {
Route::get('dashboard/seller', ['as' => 'seller_dashboard', 'uses' => 'User\Seller\DashboardController#index']);
});
});
I have a middleware that basically checks if the id as supplied in the route, is the same as the current logged in user. If this is not the case, I return an error page. The reason for having this is that I want to prevent that a user can access the dashboard of another user. I also want to prevent that a user can place a bid for someone else (by changing the id in the http request)
The issue is that in the first route, the id is referring to the user. In the second route, the id is referring to the lot id.
Am I obliged to change the second route to:
Route::get('{id}/lot/{lot}/bid/create', ['as' => 'buyer_lot_bid_create', 'uses' => 'User\Buyer\BidsController#create']);
where the first id refers to the user so that I can check the id of the user?
Or is there another way to prevent users from accessing other users pages without explicitly passing the user/{id} in the route?
Doing this in a middleware sounds like a bad idea. You've already come up against one exception to your middleware rule, and you'll certaily come across more.
There's two ways to do this:
Using laravel's built in authorisation tools: https://laravel.com/docs/5.1/authorization
If the check is that the "id as supplied in the route, is the same as the current logged in user" then there's no need to pass the user's id in via the route at all. The user can just visit eg. /dashboard/buyer with no params in the route. Who's dashboard are they visiting? The one of the logged in user, of course. So there's no way for a user to even try to visit another user's dashboard. Likewise with bidding. You can make your bid endpoint so that the bidder's id is not passed in via a route - it's just set to the id of the logged in user in your controller method. So again, there's no way to even try to bid on behalf of another user.
class AuthServiceProvider extends ServiceProvider
{
public function boot(GateContract $gate)
{
$this->registerPolicies($gate);
$gate->define('see-profile', function ($user, $profile) {
return $user->id === $profile->user_id;
});
}
Controller:
public function profile($id)
{
$post = Profile::findOrFail($id);
if (Gate::denies('see-profile', $profile)) {
abort(403);
}
}
I'm a Laravel newbie (VERY newbie) using Cartalyst Sentinel on Laravel 5.2 to leverage roles authorizations.
On the admin section I have three (or more) roles, i.e. "admin", "agent" and "writer".
I also have some sections that should have mixed roles access, i.e. like this:
dashboard (accessible to all roles: admin, agent, writer)
users (accessible to: admin)
orders (accessible to: admin, agent)
pages (accessible to: admin, writer)
no_admin_here (accessible to: agent, writer)
At the moment I managed it to work with only two roles, but now I am stuck.
What I've done so far (I put only the necessary code):
routes.php
// only authenticated users can access these pages
Route::group(['prefix' => 'admin', 'as' => 'admin.', 'middleware' => ['check']], function(){
// these pages are accessible to all roles
Route::get('dashboard', ['as' => 'dashboard', function(){
return view('admin/dashboard');
}]);
// only admin can access this section
Route::group(['middleware' => 'admin'], function(){
Route::get('users', function(){
return view('admin/users');
});
});
});
SentinelCheck Middleware (named 'check' in Kernel.php)
if (!Sentinel::check()) { // user is not authenticated
return redirect()->route('admin.login')->with('error', 'You must be logged to view the page');
}
if (Sentinel::inRole('customer')) { // user is authenticated but he is a customer
return redirect()->route('admin.login')->with('error', 'You are a customer and cannot access to backend section');
}
SentinelAdmin Middleware (named 'admin' in Kernel.php)
if (!Sentinel::inRole('admin')) { // user is authenticated but he is not an admin
return redirect()->route('admin.login')->with('error', 'You are not admin and cannot view requested section');
}
SentinelAgent Middleware (named 'agent' in Kernel.php)
if (!Sentinel::inRole('agent')) { // user is authenticated but he is not an agent
return redirect()->route('admin.login')->with('error', 'You are not agent and cannot view requested section');
}
So far so good, as I said, but things mess up when I try to mix roles; i.e. I can't write a route like this:
// only admin and agent can access this section
Route::group(['middleware' => ['admin', 'agent']], function(){
Route::get('orders', function(){
return view('admin/orders');
});
});
because "agent" will never reach the section since "admin" middleware will block and logout him. And, likewise, I can't do every other roles mix:
['middleware' => ['admin', 'writer']]
['middleware' => ['agent', 'writer']]
['middleware' => ['admin', 'writer', 'whatever_else_role']]
etc..
So, is there a (easy) way in which I can easily mix roles accesses to sections? Thanks in advance for your help
It was easier that I expected using middleware parameters
Hey guys could you please help me? This one is driving me crazy...
Let's say that I have a method for checking if the user is an admin or not:
public function isAdmin()
{
return Auth::user()->role === 'admin';
}
Then I attach it to a route filter:
Route::filter('admin', function($route, $request)
{
if ( ! Auth::user()->isAdmin()) {
Notification::error('No permission to view this page!');
return Redirect::back();
}
});
Now, I just pass it to the route group
Route::group(array('before' => 'admin'), function()
{
Route::post('users/{id}/update_password', 'UserController#update_password');
Route::post('users/{id}/delete', 'UserController#force_delete');
Route::delete('users/{id}', array('as' => 'users.destroy', 'uses' => 'UserController#destroy'));
Route::post('users/{id}/restore', 'UserController#restore');
Route::get('users/create', array('as' => 'users.create', 'uses' => 'UserController#create'));
Route::post('users', array('as' => 'users.store', 'uses' => 'UserController#store'));
Route::get('users/{id}/edit', array('as' => 'users.edit', 'uses' => 'UserController#edit'));
Route::put('users/{id}', array('as' => 'users.update', 'uses' => 'UserController#update'));
});
The question here is how do I allow a user to bypass this filter if for example he's trying to update it's own profile page an obviously he's not and admin?
I just want to block all access to the users routes for nonadmins but allow the user to edit/update etc on his own profile but allow the admin to do that too.
Could you please point me to the right direction?
You can get the related request segment to check it in your filter:
Route::filter('admin', function($route, $request)
{
if ( ! Auth::user()->isAdmin() && Auth::user()->username !== Request::segment(2)) {
Notification::error('No permission to view this page!');
return Redirect::back();
}
});
There are a few ways to do this, but having a filter that checks the request segments against the currently authenticated user isn't the best way.
Choice Number 1
You simply check that a user is auth'd (use the auth filter), and then in the controller itself you check whether or not the user is an admin, and/or it's their profile.
Choice Number 2
Define a secondary sets of routes specifically for a user modifying their own profile, that doesn't follow the /user/{id}/* pattern.
Route::group(['before' => 'admin'], function() {
// admin routes here
}
Route::group(['prefix' => '/me'], function() {
Route::post('/update_password', 'UserController#update_password');
Route::post('/delete', 'UserController#force_delete');
// etc
}
This would mean that to edit their own profile, they could simply go to /me/edit rather than /user/{id}/edit. To avoid issues like repeating the same code, or errors because an argument is missing, you could do something like this in your controller.
private function getUserOrMe($id)
{
return $id !== false ? User::find($id) : Auth::user();
}
public function edit($id = false)
{
$user = $this->getUserOrMe($id);
}
I recently used this particular method for an API. Sure it requires defining the routes again, but providing that you've set them up with groups that make use of the prefix option, it's a copy and paste job, plus, there are routes an admin would have that a user wouldn't.
Either way, filters weren't intended to do complex logic, but rather, to provide a level of base logic and protection for routes. Logic that identifies whether the current uri is that of the currently logged in user, is something better handled in a controller.