I am making a small webpage with Laravel that has User and Admin roles.
My 'users' table consists of name, email, password and role value (0 for user, 1 for admin).
I dont need anything fancy so can I just make it so every time a normal user loads in a page that's meant for the administrator - he gets redirected?
To be more precise: How can I make it so whenever a new page loads, the users role gets checked and then my if or can statement checks if the users allowed to access the page?
For example I have a view:
results that displays all the match results(can be accessed by everyone) and I also have an admin/RESULTSadmin view, that should only be accessed by a user that has an admin role but the rest needs to get redirected. Thank you in advance!
You can make parent controller with method which should check what you need and extend your controller from that (kind of old way but most simplest)
Another option make some middleware to check access
Also please take a look on laravel auth mechanism : https://laravel.com/docs/9.x/authentication#password-confirmation-protecting-routes
Related
At this time, I have a simple admin login section to my web site, from which an admin could add/edit page content add/edit pages or subjects.
Now, I am thinking down the line in this project for this site to work in the way needed. I need to add multi level users system,
I would think that adding a user level as an INT to my table sets would allow this,
then in my pages where I have my "is_logged_in" function call I could also call the user level INT and store it in the session.
This way if the user is set to level 1 show links a,
if the user is set to level 2 show the links b.
or am I looking at this the wrong way?
No need to reinvent the wheel. What you're looking for is called Access Control List (ACL) functionality. There are lots of available solutions you can incorporate into your project. Personally I use Zend's Acl libraries but there are many more flavors out there.
How it works (basic version): you assign some ACL roles - e.g. "admin", "staff", "user", "guest" where "guest" would be your default anonymous visitor. When a user logs in, you save the ACL role in the user's session.
You then create an ACL class that assigns these roles to your resources. E.g. "admin" can read and edit anyone's data, "staff" can read "admin", "staff" and "user" data, but only edit its own and "user" data, "user" can read other "user" data but only edit its own data.
At any point in your application where you need to check if a user is allowed to perform some action or access certain sections of a website (e.g. the CMS), you check against your ACL rules to execute the action / allow access or tell the user he/she is not authorized.
I have seen Joomla using many types of user access for the admin site. For example user, admin user, registered user and super user. The system actually know what type of user you are once we logged in. I'm trying to do the same thing for my web app. I need any suggestions on how this features can be achieved using PHP.
Assuming a user is in a database, you could have an column like role which would be user, admin, registered, and super.
Then in PHP you can use switch / if-condition blocks based on that role variable.
I'm building a SaaS with Symfony 2. Currently I'm adding registration of users to the application, but I don't know how to start.
I have no problems with basic user registration and login, my problem is another: When a user logs into the system, he must fill his company information. Even if the user goes to another URL, he must be redirected to the company information screen and he can't continue until he fills the company data. And the truth is that I have no idea of how to do this.
Can you help me, please? I know that I can add some checks to all of the controllers, but this is just an ugly hack...
If the company information is important, add those fields to the register page. Don't create the account until all fields are filled.
Hard to answer without knowing anything about your application architecture. There's more than one way to do it.
One possible solution would be as long as the user did not fully fill out all the required information his account is locked, so whenever he tries to get onto another URL the access is denied (so essentially you've got three user states in your database or session storage or whatever) unless he enters his profile page and fills out all the requried information.
If he did so, his status changes to a "fully valid" user and he can login and browser the page however he likes.
So you don't have to check it on every page - just check if the user is logged in, locked or logged out.
If you have some kind of groups or roles in your application you could put your user into the "invalid" or "notcomplete" group which has basically no access to the application's pages.
HI,
i am writing and designing a website with php.in this site every want can register and admin can go to admin.php for manage the site.but my problem is that every one that type www.example/login/admin.php can access to admin.php.how can i prevent other users that can't access to admin page?
You probably want to look at .htaccess file. Check this link out
You have to do the login page for the admin.php. Only if the people with the correct username and password can see the admin page and do the admin action
How do you define terms like "user" and "admin" and what is the process for creating/registering an account?
Generally, you would associate "users" with "roles" in your database. If a user account is supposed to be an admin, you associate that user record with the admin role. If the user is a standard user, associate them with the standard user role (which may be the default by having no role, though I'm not a big fan of implicit knowledge vs. explicit definitions in software). Users should also be able to have multiple roles, in case you have various classes of "user" and they need to have overlapping privileges.
Then, in the admin section of the site, your code would check if the current logged-in user (however you track that, you didn't specify) is in a given role before rendering the page. If not, then either send the user to another page or display a message, etc.
If every user can access the admin page, then essentially every user is an admin. How do you distinguish one from another in the code or in the data? That's where you need to start.
User Relationships works well to control node access to content per an approved user list.
But the problem I am running into is that I would like to also use the core Profile module, and allow those who are connected via User Relationships to see each others user profiles. I have spent 2 hours trying to figure out a way to not allow a user to spoof the URL and see any user account (Access User Profiles permission is required to see user profiles currently).
I thought of a couple solutions to fix this. What I want to do is serve a 403 page if the URL is spoofed and the requesting user has no access.
Here is what I was thinking:
Disable Access User Profile permission
Call hook_menu_alter or hook_menu_link_alter in a custom module
Change access callback to a custom function, check for user relationship
If no relationship exists serve a 403, otherwise return user_view
I wanted to get some thoughts on this, because I want this check to happen on the user profile page. hook_init() seemed too beefy.
Would this be an effective solution? Thoughts? Or is there a module that will allow me to do this quickly?
All you need: CCK Private Fields + Content Profile