So if a user wants to edit their own ticket they can do it from a form. But if they change the ID in the form, they can also edit another user's ticket. How do I prevent this?
public function edit(Ticket $ticket)
{
$user = request()->user()->ticket()->get();
if ($ticket === $user){
return view('users.tickets.edit',['ticket' => $ticket,]);
}
else{
abort(403);
}
}
It automatically pick abort 403
This is the user Model
public function ticket(){
return $this->belongsToMany(Ticket::class, 'ticket_user');
}
This is the ticket model
public function users() {
return $this->belongsToMany(User::class, 'ticket_user');
}
The logic itself could look like this:
$ticket->users->contains($request->user())
In your controller it could look like this:
use Illuminate\Http\Request;
public function edit(Request $request, Ticket $ticket)
{
if (! $ticket->users->contains($request->user())) {
return abort(403);
}
return view('users.tickets.edit', [
'ticket' => $ticket
]);
}
Docs for Collection::contains.
I suggest looking into how you could exclude your authorisation logic into gates and policies.
The right implementation for me looks like this.
The models:
*User
id
...
*Ticket
id
...
UserTicket
*id
*ticket_id
*user_id
When you create a ticket you have to create a new UserTicket for any user is able to edit the ticket.
Then you check if there is a record in UserTicket that has the user_id.
For example:
The Ticket model
public function users()
{
return $this->hasManyThrough(UserTicket::class, User::class);
}
And the edit controller
public function edit(Ticket $ticket)
{
$currentUser = request()->user();
$ticketUsers = $ticket->users;
// loop each ticketUser and check their id == $currentUser->id
}
Related
I have 3 tables:
users
id
role
email
typable_id
typable_type
buyers
id
name
address
avatar
email
residential_id
residentials
id
name
city
state
And here is my model that shows the relationship
User.php
public function typable()
{
return $this->morphTo();
}
Buyer.php
public function residential()
{
return $this->belongsTo(Residential::class);
}
public function user()
{
return $this->morphMany(User::class, 'typable');
}
Residential.php
public function buyer()
{
return $this->hasMany(Buyer::class);
}
If I want to delete the residential, all buyers from that residential need to be deleted. Same as users need to be deleted too when the buyers is deleted. How can I do that? This is what insides my Residential Controller for destroy function.
ResidentialController
public function destroy(Request $request)
{
$residentials = Residential::find($request->input('id'));
$residentials->id = $request->input('id');
$residentials->name = $request->input('name');
$residentials->delete($residentials);
return response()->json($residentials);
}
I have tried to put this code to delete the buyers (for users not yet) inside destroy() but nothing is changed for the buyers to be deleted.
$buyers = Buyer::where('residential_id','=',$request->residential_id)->first(); $buyers->delete($buyers);
While this is the code that I managed to do if I want to delete the buyers, the users are deleted too.
BuyerController
public function destroy(Request $request)
{
$users = User::where('email', '=', $request->email)->first();
$buyers = Buyer::find($request->input('id'));
$buyers->id = $request->input('id');
$buyers->name = $request->input('name');
$buyers->delete($buyers);
$users->delete($users);
return response()->json($buyers);
}
I hope there is someone to help and teach me the correct way.
Approach-1
you can override the delete function for any model.
//Residential.php
public function delete()
{
$this->buyer->delete();
return parent::delete();
}
//Buyer.php
public function delete()
{
$this->user->delete();
return parent::delete();
}
Now when you delete any Residential record, the chain will first delete any related user and then delete buyer and finally delete the Residential record.
Approach-2
You can use each() method to get all relating buyer and then get all relating user.
$residentials->buyer
->each(function ($b) {
$b->user->each(function ($u) {
$u->delete();
});
$b->delete();
});
$residentials->delete();
You might want to register model events to handle that:
class Residential extends Model
{
// Lets use plural form for a HasMany relationship.
public function buyers()
{
return $this->hasMany(Buyer::class);
}
protected static function booted()
{
static::deleting(function ($user) {
// I am using Higher Order Message, check this out: https://laravel.com/docs/8.x/collections#higher-order-messages
$this->buyers->each->delete();
});
}
}
class Buyer extends Model
{
// Lets use the plural form for a MorpMany relationship.
public function users()
{
return $this->morphMany(User::class, 'typable');
}
protected static function booted()
{
static::deleting(function ($user) {
$this->users->each->delete();
});
}
}
And you only have to remove a single object in your controller:
class ResidentialController
{
public function destroy(Request $request)
{
$residential = Residential::findOrFail($request->input('id'));
$residential->delete();
// The framework is gonna automatically convert this to a JSON object.
return $residential;
}
}
class BuyerController
{
public function destroy(Request $request)
{
$buyer = Buyer::findOrFail($request->input('id'));
$buyer->delete();
// The framework is gonna automatically convert this to a JSON object.
return $buyer;
}
}
I'm building my first Laravel app. That's my first problem that I can't overcome.
I tried to google something about it, but I couldn't find something that could help me.
class ProfilesController extends Controller
{
public function index(User $user)
{
return view('profiles.index', compact('user'));
}
public function edit(User $user){
return view('profiles.edit', compact('user'));
}
public function update(User $user){
$data = request()->validate([
'description' => 'required',
]);
$user->profile->update($data);
return redirect("{$user->id}/edit");
}
}
I want to get through that and update $data.
Edit
public function profile() {
return $this->hasOne(Profile::class);
}
public function posts(){
return $this->hasMany(Post::class)->orderBy('created_at', 'DESC');
}
Try this:
optional($user->profile)->update($data);
You can see the official documentation of optional() helper here.
I think you cannot update directly on an instance, you'd have to do : User::where('user_id', $user->id);
If you want to "update" an instance, you would have to do : $user->description = $data['description']; $user->save();
Do this:
if($user->profile) {
$user->profile()->update($data);
}
Hope this will help you.
I would imagine this is because the user doesn't have a profile by default.
One way you can get around this is by using withDefault() on your profile relationship in your User model e.g.
public function profile()
{
return $this->hasOne(Profile::class)->withDefault();
}
You would then need to change your controller code slightly since the profile might not exist:
Change:
$user->profile->update($data);
To:
$user->profile->fill($data)->save();
I had the same issue. As it turned out I forgot to create a new empty profile while creating a new user. So i was calling an update on the user's profile in this case null.
Try adding this to the User model and later migrate:fresh your data.
protected static function boot()
{
parent::boot();
static::created(function ($user) {
$user->profile()->create();
});
}
This will create a new profile for user automatically.
I have users, app_roles, app_permissions, app_permission_app_role, app_role_user.
The tables are self explanatory, I am creating permissions, Then assigning that permissions to new role on role creation, And then i assigns roles to users.
i check permission of the authenticated user like :
#if(auth()->user()->can('some route name'))
Html...
#endif
The above condition checks if the user have access to that content or not based of the assigned role as we know that the role have permissions, And the can('some route name') parameter is a route name. Its working fine.
Where i am stuck !!!
The table app_role_user had user_id, app_role_id, Now i added another column organization_id... (Consider Organizations as groups, Where a user can be a member of that groups, And the owner of the group assigns single role(Can't assign multiple role) to that user). Because now the user can switch between organization and the user can have different roles in different organizations.
I have to clear path for the :
#if(auth()->user()->can('some route name'))
Html...
#endif
Note : : Auth::user()->current_org->id show the id of the organization in which the user is in right now
As well as currently i am saving role_id, user_id, organization_id in app_role_user table.
Here is my AuthServiceProvider class,
I am Dynamically registering permissions with Laravel's Gate :
public function boot(GateContract $gate)
{
$this->registerPolicies();
$this->registerAllPermissions($gate);
}
protected function getPermissions() {
return $this->app->make('App\Repositories\PermissionRepository')->withRoles();
}
private function registerAllPermissions($gate) {
if (Schema::hasTable('app_permissions') and Schema::hasTable('users') and Schema::hasTable('app_roles')) {
cache()->forget('app_permissions_with_roles');
foreach ($this->getPermissions() as $permission) {
$gate->define($permission->name, function ($user) use ($permission) {
return $user->hasPermission($permission);
});
}
}
}
Here is PermissionRepository class :
class PermissionRepository
{
protected $model;
public function __construct(AppPermission $model)
{
$this->model = $model;
}
public function all(){
return $this->model->all();
}
public function withRoles(){
$model = $this->model;
$permissions = cache()->remember('app_permissions_with_roles', 1*60*24, function() use($model) {
return $model->with('roles')->get();
});
return $permissions;
}
}
And here is HasRoles trait having hasPermission(AppPermission $permission) because AuthServiceProvider class needs it in registerAllPermissions.
trait HasRoles {
public function assignRole($role)
{
return $this->roles()->save(
AppRole::whereName($role)->firstOrFail()
);
}
public function hasRole($role)
{
if (is_string($role)) {
return $this->roles->contains('name', $role);
}
return !! $role->intersect($this->roles)->count();
}
public function hasPermission(AppPermission $permission)
{
return $this->hasRole($permission->roles);
}
}
What should i do, I have tried many conditions but nothing worked at all.
Looking forward to hear from you guys.
Thanks for the read, Need serious attention please.
You can try like this
User Model
//add organization_id as pivot field
public function roles(){
return $this->belongsToMany(AppRole::class)->withPivot('organization_id');
}
//define a function
public function orgRoles($orgId){
return $this->roles()->wherePivot('organization_id', $orgId)->get();
}
Now in trait modify hasRole function
public function hasRole($role)
{
$orgId = Auth::user()->current_org->id;
if (is_string($role)) {
return $this->orgRoles($orgId)->contains('name', $role);
}
return !! $role->intersect($this->orgRoles($orgId))->count();
}
I'm doing a blog with Laravel Framework and I allready have a Login/Register and a thread section. In my Blog you just can edit a thread if you're logged in. Now I have the problem that if I'm logged in, I can edit and delete every thread. It doesn't matter if it's my thread or if it is from another user. Well now I need something to say my laravel code that I'm just allowed to edit/dekete my own threads.
I've found this: https://laravel.com/docs/5.2/authorization#defining-abilities
But I don't really understand how I implement this to my code. And do I need a in my database any reference? like this user belongs to this thread?
Well I'm kind of new in laravel.. I hope someone can help me
PS: I'm sorry for my bad english, I'm from germany.
Edit/Update/Delete function:
public function edit($id)
{
$thread = Thread::query()->findOrFail($id);
return view('test.edit', [
'thread' => $thread
]);
}
public function update($id, StoreRequest $request)
{
$thread = Thread::query()->findOrFail($id);
$thread->fill($request->all());
$thread->save();
return redirect(action('Test\\TestController#show', [$thread->id]));
}
public function destroy($id)
{
$thread = Thread::query()->findOrFail($id);
$thread->delete();
return redirect(action("Test\\TestController#index"));
}
my thread model:
public function user() {
return $this->belongsTo(User::class, "name");
}
How I add a new thread:
If I press "add thread" I'm getting directed to my add function in my controller:
add function:
public function add()
{
return view('test.add', [
'entries' => Thread::query()->get()
]);
}
in my add.blade I have my formular and this formular directs me to my "store function " in my controller:
store function:
public function store(StoreRequest $request)
{
Thread::create($request->all());
return redirect(action('Test\\TestController#index'));
}
You can attach the user_id to the thread so anytime you want to update or delete you check if the current logged in user bears that user_id then you do accordingly.
add user_id to threads table
Then in your save function() do this.
public function save(Request $request){
$thread = new Thread;
$thread->user_id = Auth::user()->id;
// rest of fields goes here
$thread->save();
}
then in your edit, update or delete function
public function edit($id)
{
$thread = Thread::query()->findOrFail($id);
// You can use laravel authorization/policies to achieve this too
if($thread->user_id != Auth::user()->id){
// Return to view with your custom error message telling
// the user he is not authorized to edit this thread
}
return view('test.edit', [
'thread' => $thread
]);
}
public function update($id, StoreRequest $request)
{
$thread = Thread::query()->findOrFail($id);
// You can use laravel authorization/policies to achieve this too
if($thread->user_id != Auth::user()->id){
// Return to view with your custom error message telling
// the user he is not authorized to edit this thread
}
$thread->fill($request->all());
$thread->save();
return redirect(action('Test\\TestController#show', [$thread->id]));
}
public function destroy($id)
{
$thread = Thread::query()->findOrFail($id);
// You can use laravel authorization/policies to achieve this too
if($thread->user_id != Auth::user()->id){
// Return to view with your custom error message telling
// the user he is not authorized to delete this thread
}
$thread->delete();
return redirect(action("Test\\TestController#index"));
}
My Shema database is
User Table
id
login
parent
Sign Table
id
name
user_id (Sign owner)
Pivot table user_sign
id
user_id
sign_id
My User model contain
public function signs() {
return $this->belongsToMany('App\Sign', 'user_sign');
}
public function parent(){
return $this->belongsTo('User', 'parent');
}
public function children(){
return $this->hasMany('User', 'parent', 'user_id');
}
And my Sign model contain
public function users() {
return $this->belongsToMany('App\User', 'user_sign')->select(['users.id','name']);
}
A parent user can attach / sync Sign to a child user via this route (he send sign_id and child_id)
Route::put('sign/share', 'SignController#share')
To do this action, in my controller i must check :
- if Owner of sign_id is $user_id
- If child_id is child of $user_id
And after that, i do my attach / sync.
Now, in my controller i have :
public function share(Request $request)
{
$userId = $request->input('user_id');
$sign = Sign::where('user_id', $userId)->find($id);
if(!$sign){
return response()->json(['message'=>'FAIL'], 404);
}
}
But I completely blocked after this... It's possible to check and attach in one line ?
Thanks for your help
As far as syncing/attaching you can use this sytanx
$user->roles()->sync([1, 2, 3]);
As given in Laravel Docs
You can do the both checks in the condition of IF and assign in case of true, thats how your controller will look like finally.
public function share(Request $request)
{
$userId = $request->input('user_id');
$signId = $request->input('sign_id');
$childId = $request->input('child_id');
if (Sign::find($singId)->user_id == $userId && User::find($userId)->child_id == $childId)
{
//Attach the sign to child user
User::find($childId)->signs()->attach($signId);
}
else
{
return response()->json(['message'=>'FAIL'], 404);
}
}