I am building a series of forms in Laravel 4 with Doctrine 2. I want to be able to restrict access to each forms subsystem based on a user's level of permission (none, view, view and edit, view edit and delete).
In my database I have a table where each form subsection is stored (id, form_name, view_foldername) called "libForms". I also have a "users" table with all of the typical user information. When a new user is added, a third table, "permissions" gets populated with an access level of '0' (none) for each form currently in the system for that particular user.
When a new form is created, I also have it set up to where a new directory is created in the app/views directory. The name of this directory is a camelCase version of the form's name.
What I want to do is restrict access to any view within app/views/folderName for users that have an access level of '0' (none). Any user without access should be spit back to the homepage.
So far I have come up with trying something like:
Route::filter('formAuth', function()
{
$entityManager = App::make('Doctrine\ORM\EntityManagerInterface');
//get current user
$current_user = $entityManager->getRepository('User')->find(Session::get('my_userid'));
//check user's permission level for this section of forms
$form_route = $entityManager->getRepository('LibForm')->findOneBy(array('route_name' => Request::segment(1)));
...
});
And then calling this filter in the Controller's constructor.
$this->beforeFilter('formAuth');
I don't assume any of this is close to being correct and I am just confusing myself even more every time I think of something else!
Related
I am new to Laravel and I want to make data in my database available via RESTFUL API. I need to control permissions of data objects with field level specificity. I was curious what is the idiomatic way to do this in Laravel?
For example, I will have a database table called PrintMachine that has the fields Id,MachineName,ActivityStatus,ManufacturingYear. I want to assign the following permissions:
Web Administrators get Read and Edit access to all records and all fields in PrintMachine
Factory Managers get Read and Edit access to the PrintMachine.MachineName and PrintMachine.ActivityStatus fields for all records and get no access to any other fields in PrintMachine.
Floor Operators get Read access to the PrintMachine.MachineName field for all records and get no access to any other fields in PrintMachine.
People told me to consider Spatie Module and also read Gates and Policies, but it's not clear how either achieves field level permissions on their own.
The other option I was considering was to custom create my own solution by:
for GET requests, create three ViewModels called PrintMachineAdmin,PrintMachineManager,PrintMachineOperator, each class with properties accessible to the corresponding roles.
for POST/PUT requests, I'll have to write my own conditional statements to validate data based on the users roles
Is there a more idiomatic way to develop the a feature for field level permissions for restful apis?
So many options. An implementation of role and permission structure can achieve this and you can most certainly do this via the Spatie Module.
Eg adapted from spatie documentation:
$role = Role::create(['name' => 'Manager']); //db has roles table
//or if already created
//$role = Role::where('name', 'Manager')->first();
$permission = Permission::create(['name' => 'edit PrintMachine.MachineName']); //db permissions table
$role->givePermissionTo($permission); //now manager role has been assigned permission to edit machine name.
//assigning role to user
$user = User::create(['name'=> 'Manager User']); //or get existing
$user->assigneRole($role); //now this user has edit access to machine name
//to see if user has access
if( $user->hasPermissionTo('edit PrintMachine.MachineName') )
//do efit
//OR if you want to check using role
if( $user->hasRole('Manager')
//do manager stuff
//and in view you can use #can blade directive
#can( 'edit PrintMachine.MachineName' )
//authenticated user can edit machine name //show edit button/form
#endcan
//similarly #role directive will do the check using role
For super admins in AuthServiceProvider's boot method.
Gate::before(function ($user, $ability) {
return $user->hasRole('Super Admin') ? true : null;
});
Gate's before method precedes all other gate operations so all other permissions can be overridden here.
I was authorized under user and object Auth::user() is not empty. So using this object and relations between models therefore I can get status of user from Users table:
$profileStatus = Auth::user()->user->first()->status;
How to share this variable $profileStatus in all template in Laravel to show/hide HTML blocks depend this value (active/not active)?
Once User successfully logged in, you can set status in globally like
View::share('user_status', $profileStatus);
then you can access user_status from your entire application including blade templates.
Is it possible to change the attributes of form view for specific user groups in form view tag, like in form tag, readonly="{('user_group','=','some_group')}">
I need to make a form view read-only for s specific user group but only from front-end. Records are updated from code by that user belonging to that specific user group from back-end. and if i disable updating the records of that model by that user group in my security file, that user is not able to modify the records even from back-end.
Best way to do this is by defining a new group that have only read access on that model and add to that user you will save a lot of typing and a lot of your time.
Because what you really asking is to remove edit write for a specific user.
Scenario:
In an integration in Magento 2 with Full Caching.
We have two types of customers Type 1 and Type 2. Both these types of customers are saved under same Customer Group we are distinguishing the customers based on a customer type attribute.
Customer of type 1 can belong to different departments (1 to many). When he first visits the site after login, he is redirected to select his department.
This value is saved in customer session, on run time customer can change his department that value is updated in the existing customer session.
When we access a new page we get the updated session, but if we access a page that was accessed earlier, we get the old data from session.
Options tried:
We tried to load the data from customer session factory instead of customer session, but still we are facing the issue. Our understanding is that data which is saved in customer object is loaded as new, but since our data is saved under customer session it is not returning the latest data.
For some section of the page we have used sections to load the data, but in that scenario also, if a page is accessed earlier the correct data is not loaded in first refresh, in second refresh the data is loaded properly.
We also tried to update the session data from AJAX, but that was also not much useful since that data is not getting loaded on the pages.
We also tried to use context variables, but when we log the data while saving the context variable the correct data is logged but when we try to fetch the context data, no data was returned. Also even if different context variable is set for each department, the page seems to be rendered from cache.
We can’t use Cookie since this is sensitive data, this will be the last option.
In Magento 1 we had an option to generate new Cache key by extending app\code\local\Enterprise\PageCache\Model\Processor.php,
Example
if
(isset($_COOKIE[Enterprise_PageCache_Model_Cookie::IS_USER_ALLOWED_SAVE_COOKIE]))
{ $uri .= '_' .
$_COOKIE[Enterprise_PageCache_Model_Cookie::IS_USER_ALLOWED_SAVE_COOKIE];
}
Is there any similar option available in Magento 2. If yes, please share some reference links to integrate the same.
I've got a question about the best way to allow user's information to be visible between users in certain situations.
I have certain columns in User class which are private to the user.
In some activity i'm pointing to user object as 'postedBy' or something else,In this case the entire data regarding user is getting shared.
My question is how to restrict user to get some columns in User class??
usually if you want to restrict an access in parse it should be done via ACL. In ACL you can create role for users who can read/write to the class.
ACL are executed on a class level and not on a column level. In order to expose part of the fields i think you have 2 options:
Create one to one realtionship from your User class to another Class. the second class will contain all columns that not all users can see and for this class create ACL's with the users/roles that can view this data and when you will execute your query only the users with sufficient permissions will be able to get this data
The second option is when you want to avoid relationships here you can use the select option under query. Select allows you to select specific fields of the class and the query will return only the fields that you specified under the select. here is a code snippet from parse docs which explain how to use select (in JS):
var GameScore = Parse.Object.extend("GameScore");
var query = new Parse.Query(GameScore);
query.select("score", "playerName");
query.find().then(function(results) {
// each of results will only have the selected fields available.
});
Hope its clear now :)