I have a nested route like this:
Route::get('/products/{product}/auctions/create', [AuctionController::class, 'create']);
All it does is it sets an auction on a given product. A Product - hasMany - Auctions.
AuctionPolicy to be invoked to authorize actions on an Auction instance:
// App\Providers\AuthServiceProvider
protected $policies = [
Auction::class => AuctionPolicy::class
]
AutionPolicy:
public function create(User $user, Product $product) // <-- where do I get this $product from?
{
if( $product->user_id === $user->id ) {
return $product->canCreateNewAuction();
}
return false;
}
AuctionController:
public function create(Request $request, Product $product)
{
$this->authorize('create', Auction::class);
}
It throws an Exception: AuctionPolicy::create expects two params, only one passed.
How do I pass $product to AuctionPolicy::create method.
Laravel allows to pass additional data to policies.
Supply Additional Context
In the ->authorize method, instead of passing Auction class string, we can also pass an array with additional data.
In this example, we want to be able to pass $product to the invoked Auction Policy:
$this->authorize('create', [Auction::class, $product]);
The first item of this array specifies which Policy (Auction::class => AuctionPolicy::class) to invoke and rest are additional data.
It doesn't have to be a class string, it could also be an instance.
$this->authorize('show', [$auction, $product]);
Related
class SongsCollection extends ResourceCollection
{
public function toArray($request)
{
return [
'data' => SongResource::collection($this->collection),
'meta' => ['song_count' => $this->collection->count()],
];
}
}
in the controller
$data = new SongsCollection(Song::all());
dd($data);
`
it only display the image below, but without the meta array contain the song_count?
How to get the meta->song_count value ?
Laravel doc says:
Every resource class defines a toArray method which returns the array of attributes that should be converted to JSON when the resource is returned as a response from a route or controller method.
So, dd($data) will just dump the resource object which has the toArray method. If you want to get the meta field, you must call $data->toJson() method. If you just return $data in your api endpoint, laravel itself will call toJson method internally as stated in the above doc.
In the blade template, the laravel gives a song collection, which can not be retrive the meta from this collection, Below is how I get the meta data:
$datas = json_encode($datas,true);
//dd($data);
$datas = json_decode($datas);
// dd($datas);
foreach($datas->meta as $link){
echo $link;
}
Hope this helps.
I have a notes model. Which has a polymorphic 'noteable' method that ideally anything can use. Probably up to 5 different models such as Customers, Staff, Users etc can use.
I'm looking for the best possible solution for creating the note against these, as dynamically as possible.
At the moment, i'm adding on a query string in the routes. I.e. when viewing a customer there's an "Add Note" button like so:
route('note.create', ['customer_id' => $customer->id])
In my form then i'm checking for any query string's and adding them to the post request (in VueJS) which works.
Then in my controller i'm checking for each possible query string i.e.:
if($request->has('individual_id'))
{
$individual = Individual::findOrFail($request->individual_id_id);
// store against individual
// return note
}elseif($request->has('customer_id'))
{
$customer = Customer::findOrFail($request->customer_id);
// store against the customer
// return note
}
I'm pretty sure this is not the best way to do this. But, i cannot think of another way at the moment.
I'm sure someone else has come across this in the past too!
Thank you
In order to optimize your code, dont add too many if else in your code, say for example if you have tons of polymorphic relationship then will you add tons of if else ? will you ?,it will rapidly increase your code base.
Try instead the follwing tip.
when making a call to backend do a maping e.g
$identifier_map = [1,2,3,4];
// 1 for Customer
// 2 for Staff
// 3 for Users
// 4 for Individual
and so on
then make call to note controller with noteable_id and noteable_identifier
route('note.create', ['noteable_id' => $id, 'noteable_identifier' => $identifier_map[0]])
then on backend in your controller you can do something like
if($request->has('noteable_id') && $request->has('noteable_identifier'))
{
$noteables = [ 'Customers', 'Staff', 'Users','Individual']; // mapper for models,add more models.
$noteable_model = app('App\\'.$noteables[$request->noteable_identifier]);
$noteable_model::findOrFail($request->noteable_id);
}
so with these lines of code your can handle tons of polymorphic relationship.
Not sure about the best way but I have a similar scenario to yours and this is the code that I use.
my form actions looks like this
action="{{ route('notes.store', ['model' => 'Customer', 'id' => $customer->id]) }}"
action="{{ route('notes.store', ['model' => 'User', 'id' => $user->id]) }}"
etc..
And my controller looks this
public function store(Request $request)
{
// Build up the model string
$model = '\App\Models\\'.$request->model;
// Get the requester id
$id = $request->id;
if ($id) {
// get the parent
$parent = $model::find($id);
// validate the data and create the note
$parent->notes()->create($this->validatedData());
// redirect back to the requester
return Redirect::back()->withErrors(['msg', 'message']);
} else {
// validate the data and create the note without parent association
Note::create($this->validatedData());
// Redirect to index view
return redirect()->route('notes.index');
}
}
protected function validatedData()
{
// validate form fields
return request()->validate([
'name' => 'required|string',
'body' => 'required|min:3',
]);
}
The scenario as I understand is:
-You submit noteable_id from the create-form
-You want to remove if statements on the store function.
You could do that by sending another key in the request FROM the create_form "noteable_type". So, your store route will be
route('note.store',['noteableClass'=>'App\User','id'=>$user->id])
And on the Notes Controller:
public function store(Request $request)
{
return Note::storeData($request->noteable_type,$request->id);
}
Your Note model will look like this:
class Note extends Model
{
public function noteable()
{
return $this->morphTo();
}
public static function storeData($noteableClass,$id){
$noteableObject = $noteableClass::find($id);
$noteableObject->notes()->create([
'note' => 'test note'
]);
return $noteableObject->notes;
}
}
This works for get method on store. For post, form submission will work.
/**
* Store a newly created resource in storage.
*
* #param \Illuminate\Http\Requests\NoteStoreRequest $request
* #return \Illuminate\Http\Response
*/
public function store(NoteStoreRequest $request) {
// REF: NoteStoreRequest does the validation
// TODO: Customize this suffix on your own
$suffix = '_id';
/**
* Resolve model class name.
*
* #param string $name
* #return string
*/
function modelNameResolver(string $name) {
// TODO: Customize this function on your own
return 'App\\Models\\'.Str::ucfirst($name);
}
foreach ($request->all() as $key => $value) {
if (Str::endsWith($key, $suffix)) {
$class = modelNameResolver(Str::beforeLast($key, $suffix));
$noteable = $class::findOrFail($value);
return $noteable->notes()->create($request->validated());
}
}
// TODO: Customize this exception response
throw new InternalServerException;
}
Trying to authorize a user to update a post if the user id and the post user_id matches. I have a custom callback for authorization in the AuthServiceProvider which checks for 'Authorization' header, which is an API key in the boot() function.
$this->app['auth']->viaRequest('api', function ($request) {
if($request->header('Authorization')) {
$user = $this->getUserFromAuthorizationHeader($request);
if (!empty($user)) {
$request->request->add(['userid' => $user->id]);
}
return $user;
}
});
The function getUserFromAuthorizationHeader gets a Request $request parameter and extracts the Authorization header, which is an api key, and then returns a User object.
I defined a gate update-post which checks the user that is returned from the callback and the post passed when calling the gate update-post from a controller.
Gate::define('update-post', function($user, $post){
Log::info($user);
return $user->id == $post->user_id;
});
The way I am calling the Gate in my PostController is by the following
...
$user = $this->getUserFromRequest($request);
if(Gate::denies('update-post', $post)) {
return response("Unauthorized.", 401);
}
...
I logged - using Log:: info() - the $user and $post variables in my Gate and I can successfully see the correct user and post objects being passed, but I get the error Call to a member function parameter() on array and I can't understand why exactly I am getting it.
You probably need to convert into collection before comparing if you are getting the array like this
$post = collect($post);
$user = collect($user);
Gate::define('update-post', function($user, $post){
Log::info($user);
return $user->id == $post->user_id;
});
Doc Reference
I have an application that has users and products. Only the product owners should be able to view the product.
If a user guesses a product id they might be able to view the product. For example
http://booker.app/admin/products/32
Following that link would allow any logged in user to view the product with id 32.
This is the route in question:
Route::middleware(['middleware' => 'auth'])->prefix('admin')->group(function(){
Route::resource('products', 'ProductController');
});
My products controller show method:
public function show(Product $product)
{
if($product->user_id !== Auth::user()->id){
return $this->forbidden('admin/products');
}
return $this->makeResponse('admin.products.product', compact('product'));
}
The forbidden and makeResponse functions simply check if the request was an ajax request and if so returns json.
As you can see I'm using route model binding and I'm checking if the authorised user is the same as product user_id. Basically is there a better way of checking if the user is the owner of the product.
In Laravel you can define Policies in order to specify ACL and access logic to your data layer.
For example create the class ProductPolicy:
class ProductPolicy
{
public function show(User $user, Product $product)
{
return $user->id === $product->user_id;
}
}
Then bind the policy to the Product model inserting the following line into $policies array in AuthServiceProvider:
protected $policies = [
Product::class => ProductPolicy::class,
];
Now in your controller method you can use the following syntax to authorize the user to do a certain action
public function show(Product $product)
{
$this->authorizeForUser(Auth::user(), 'show', [$product]);
return $this->makeResponse('admin.products.product', compact('product'));
}
The method authorizeForUser will call the show method of your Policy, which will return true only if the product belongs to the authenticated user.
Hope it helps.
So I have created a policy and registered it in the AuthServicePRovider, but it always returns false. It is my first time working with policies so I am sure I am doing it wrong, but following a few examples, nothing has worked for me.
I am logged in with user that has an id of 1. I try to edit a label that has a user_id of 1, returns false, and also when trying to edit a label that has a user_id of 2. This last one works as expected, but f the user_id and label->user_id match, I should ave a form displayed. Instead, I get this each time:
This action is unauthorized.
Any ideas?
AuthServiceProvider: (Tried both but both don't work):
protected $policies = [
'App\Label' => 'App\Policies\LabelPolicy'
];
And this one also did not do the trick:
protected $policies = [
Label::class => LabelPolicy::class
];
LabelsController#edit:
public function edit(Label $label)
{
// $this->authorize('edit', $label); // This also returns false
if (auth()->user()->cannot('edit', $label)) {
dd('NO'); // This is always shown
}
}
LabelPolicy:
public function edit(Label $label)
{
dd('test'); // This is never shown anywhere
return auth()->user()->id === $label->user_id;
}
The policies expects actually two inputs, the first input is always the User class, the second input is the Model and defaults to the Model class. So in your case:
LabelPolicy
public function edit(User $user, Label $label)
{
return $user->id === $label->user_id;
}
LabelsController#edit:
public function edit(Label $label)
{
$this->authorize($label);
}
if your $this->authorize inside Controllers always returns false, then double check if your model and model policy namespace was imported in AuthServiceProvider and also your model has been imported into your controller.