We Keep Coding

Laravel multiple policies always authenticated?

I'm using Laravel 9 with the Laravel Spatie Permissions package. I have users and roles in my system. Users have roles, and depending on their permissions on their role they either can or can't create new users / new roles etc.
I've set up my UserPolicy and RolePolicy, and am passing my User model to each since it's the user that needs to be checked against what permissions they have, then in the controller of my choice, such as my RoleController I run:
/**
* Display a listing of the resource.
*
* #return \Illuminate\Http\Response
*/
public function index()
{
$this->authorize('viewAny', User::class);
$roles = Role::with('permissions')->get();
if (!$roles || count($roles) <= 0) {
return response()->json([
'message' => 'No roles found'
], 404);
}
return response()->json([
'roles' => $roles
], 200);
}
Strangely, if I edit my RolePolicy's viewAny permission and return false, I'm still able to see the data? I shouldn't be. what am I missing?
Here's my RolePolicy
<?php
namespace App\Policies\UserManagement;
use Spatie\Permission\Models\Role;
use App\Models\User;
use Illuminate\Auth\Access\HandlesAuthorization;
class RolePolicy
{
use HandlesAuthorization;
/**
* Determine whether the user can view any models.
*
* #param \App\Models\User $user
* #return \Illuminate\Auth\Access\Response|bool
*/
public function viewAny(User $user)
{
// TODO: if I return false I still have access?
if ($user->can('role_index')) {
return true;
}
}
/**
* Determine whether the user can view the model.
*
* #param \App\Models\User $user
* #return \Illuminate\Auth\Access\Response|bool
*/
public function view(User $user)
{
if ($user->can('role_show')) {
return true;
}
}
/**
* Determine whether the user can create models.
*
* #param \App\Models\User $user
* #return \Illuminate\Auth\Access\Response|bool
*/
public function create(User $user)
{
if ($user->can('role_store')) {
return true;
}
}
/**
* Determine whether the user can update the model.
*
* #param \App\Models\User $user
* #return \Illuminate\Auth\Access\Response|bool
*/
public function update(User $user)
{
if ($user->can('role_update')) {
return true;
}
}
/**
* Determine whether the user can delete the model.
*
* #param \App\Models\User $user
* #return \Illuminate\Auth\Access\Response|bool
*/
public function delete(User $user)
{
if ($user->can('role_destroy')) {
return true;
}
}
}
And my AuthServiceProvider:
<?php
namespace App\Providers;
use App\Models\User;
use Spatie\Permission\Models\Role;
use App\Policies\UserManagement\UserPolicy;
use App\Policies\UserManagement\RolePolicy;
use Illuminate\Support\Facades\Gate;
use Illuminate\Auth\Notifications\ResetPassword;
use Illuminate\Foundation\Support\Providers\AuthServiceProvider as ServiceProvider;
class AuthServiceProvider extends ServiceProvider
{
/**
* The model to policy mappings for the application.
*
* #var array<class-string, class-string>
*/
protected $policies = [
User::class => UserPolicy::class,
User::class => RolePolicy::class,
];
/**
* Register any authentication / authorization services.
*
* #return void
*/
public function boot()
{
$this->registerPolicies();
ResetPassword::createUrlUsing(function ($user, string $token) {
$frontendUrl = trim(rtrim(config('lespro.frontend_url'), '/'));
return $frontendUrl . '/account/reset/?email=' . $user->email . '&token=' . $token;
});
// Implicitly grant "super_admin" role all permissions
// This works in the app by using gate-related functions like auth()->user->can() and #can()
Gate::before(function ($user, $ability) {
return $user->hasRole('super_admin') ? true : null;
});
}
}

Laravel foreach variable not working ($tickets is undefined)

Hello When I run page it tells me that:
ErrorException
Undefined variable: tickets (View: D:\xampp\htdocs\new-helpdesk\resources\views\tickets\index.blade.php)
http://localhost:8000/tickets
Hide solutions
$tickets is undefined
when I dd it works.
index.blade.php
#extends('layouts.ticket')
#section('content')
#if ($tickets)
**
**#foreach ($tickets as $ticket)
<div class="form-group">
{!! Form::label('company', 'Company:', ['class' => 'form-label fs-6 d-inline-block']) !!}
{!! Form::select('company', [' '=> 'Choose Company'], null,['class'=>'form-control']);!!}
</div>
#endforeach
#endif
#endsection
TicketsController
<?php
namespace App\Http\Controllers;
use App\Models\Companies;
use App\Models\Tickets;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\DB;
class TicketsController extends Controller
{
/**
* Display a listing of the resource.
*
* #return \Illuminate\Http\Response
*/
public function index()
{
//
// $tickets = Tickets::with('companies')->get();
return view('tickets.index');
}
/**
* Show the form for creating a new resource.
*
* #return \Illuminate\Http\Response
*/
public function create()
{
//
// return view('tickets.create');
$tickets = Companies::all();
dd($tickets->toArray());
// return view('tickets.index', compact('tickets'))->with('tickets', $tickets);
return view('tickets.index')->with(['tickets' => $tickets]);
}
/**
* Store a newly created resource in storage.
*
* #param \Illuminate\Http\Request $request
* #return \Illuminate\Http\Response
*/
public function store(Request $request)
{
//
$request->validate([
'ticket_title'=> 'required',
'description'=>'required'
]);
$query = DB::table('tickets')->insert([
'ticket_title'=>$request->input('ticket_title'),
'description'=>$request->input('description'),
]);
if($query){
return back()->with('success','Data have beeen inserted');
} else {
return back()->with('fail', 'Data not inserted');
}
}
/**
* Display the specified resource.
*
* #param \App\Models\Tickets $tickets
* #return \Illuminate\Http\Response
*/
public function show(Tickets $tickets)
{
//
}
/**
* Show the form for editing the specified resource.
*
* #param \App\Models\Tickets $tickets
* #return \Illuminate\Http\Response
*/
public function edit(Tickets $tickets)
{
//
}
/**
* Update the specified resource in storage.
*
* #param \Illuminate\Http\Request $request
* #param \App\Models\Tickets $tickets
* #return \Illuminate\Http\Response
*/
public function update(Request $request, Tickets $tickets)
{
//
}
/**
* Remove the specified resource from storage.
*
* #param \App\Models\Tickets $tickets
* #return \Illuminate\Http\Response
*/
public function destroy(Tickets $tickets)
{
//
}
public function showcategory(){
// $companies = Companies::pluck('name', 'id');
// dd($companies);
}
}
web.php
Route::resource('/tickets', TicketsController::class);
Route::resource('/companies', CompaniesController::class);
Tickets Model
public function companys(){
return $this->belongsTo(Companies::class);
}
Companies Model
public function tickets(){
return $this->HasMany(Tickets::class);
}
How can I solve this problem?
I try to change it as layout

You have a little chaos in your return value, you either pass the collection in compact() or in with(). with() needs an array, so you will have to do one of the following:
return view('tickets.index', compact('tickets'));
//or
return view('tickets.index')->with(['tickets' => $tickets]);
=====EDIT
The /tickets route is calling your index() action. https://laravel.com/docs/9.x/controllers#actions-handled-by-resource-controller This action also returns the index.blade.php view, but you are not passing the tickets collection.
public function index()
{
$tickets = Tickets::with('companies')->get();
return view('tickets.index')->with(['tickets' => $tickets]);
}
As TimLewis pointed out, the #if($tickets) in your index.blade.php has no purpose and can be removed.

Laravel Policy - Bug or Implementation error?

I have implemented a user policy in Laravel as follows.
namespace App\Policies;
use App\User;
use Illuminate\Auth\Access\HandlesAuthorization;
class UserPolicy
{
use HandlesAuthorization;
/**
* Determine whether the user can list the model.
*
* #param \App\User $user
* #return mixed
*/
public function index(User $user)
{
// only a chief editor can view all users
$authorized = false;
$authorized = ($user->role->name === 'Chief Editor');
return $authorized;
}
/**
* Determine whether the user can view the model.
*
* #param \App\User $user
* #param \App\User $model
* #return mixed
*/
public function view(User $user, User $model)
{
// only a chief editor or user(who owns the user) can view the user
$authorized = false;
$authorized = ($user->role->name === 'Chief Editor' || $user->id === $model->id);
return $authorized;
}
/**
* Determine whether the user can create models.
*
* #param \App\User $user
* #return mixed
*/
public function create(User $user)
{
// only a chief editor can create a user
$authorized = false;
$authorized = ($user->role->name === 'Chief Editor');
return $authorized;
}
/**
* Determine whether the user can update the model.
*
* #param \App\User $user
* #param \App\User $model
* #return mixed
*/
public function update(User $user, User $model)
{
// only a chief editor or user(who owns the user) can update the user
$authorized = false;
$authorized = ($user->role->name === 'Chief Editor' || $user->id === $model->id);
return $authorized;
}
/**
* Determine whether the user can delete the model.
*
* #param \App\User $user
* #param \App\User $model
* #return mixed
*/
public function delete(User $user, User $model)
{
// only a chief editor or user(who owns the user) can delete the user
$authorized = false;
$authorized = ($user->role->name === 'Chief Editor' || $user->id === $model->id);
return $authorized;
}
}
And here is my user controller.
namespace App\Http\Controllers;
use Illuminate\Http\Request;
use App\Http\Requests\StoreUser;
use App\Http\Requests\UpdateUser;
use App\User;
use App\Role;
class UserController extends Controller
{
public function __construct()
{
$this->middleware('auth');
$this->middleware('can:index,App\User')->only('index');
$this->middleware('can:view,user')->only('show');
$this->middleware('can:create,App\User')->only('create', 'store');
$this->middleware('can:update,user')->only('edit', 'update');
$this->middleware('can:delete,user')->only('destroy');
}
/**
* Display a listing of the resource.
*
* #return \Illuminate\Http\Response
*/
public function index()
{
$users = User::paginate(5);
return view('users.index')
->with('users', $users);
}
/**
* Show the form for creating a new resource.
*
* #return \Illuminate\Http\Response
*/
public function create()
{
// fetch roles
$roles = Role::all();
return view('users.create')
->with('roles', $roles);
}
/**
* Store a newly created resource in storage.
*
* #param \Illuminate\Http\Request $request
* #return \Illuminate\Http\Response
*/
public function store(StoreUser $request)
{
//
}
/**
* Display the specified resource.
*
* #param int $id
* #return \Illuminate\Http\Response
*/
public function show($id)
{
$user = User::findOrFail($id);
return view('users.show')
->with('user', $user);
}
/**
* Show the form for editing the specified resource.
*
* #param int $id
* #return \Illuminate\Http\Response
*/
public function edit($id)
{
$user = User::findOrFail($id);
return view('users.edit')
->with('user', $user);
}
/**
* Update the specified resource in storage.
*
* #param \Illuminate\Http\Request $request
* #param int $id
* #return \Illuminate\Http\Response
*/
public function update(UpdateUser $request, $id)
{
//
}
/**
* Remove the specified resource from storage.
*
* #param int $id
* #return \Illuminate\Http\Response
*/
public function destroy($id)
{
//
}
}
However, when I access an action with multiple parameters in the policy method(two user objects), I get the This action is unauthorized. error.
I have also tried returning true without any checks from these methods but still the same issue persists.
Is this my code issue or a bug with Laravel?

Update: Your code is not working because you'r not passing the second user to the policy.
You'r not using route model binding, so the user passed to the view method, for example, does not exist. When the model does not exist, Laravel will not check for the policy and just return false.
The following is an example from the documentation, and it works becuase of the route model binding.
Route::put('/post/{post}', function (Post $post) {
// The current user may update the post...
})->middleware('can:update,post');
The Answer:
Does not make sense to use authorization in the controller constructor. If you want to use middleware for authorization, attach it to the route not the controller.
If you allow the request to reach the controller, then it would be better to check for authorization in the action not the constructor. It will also be easier to read and debug.
I would remove all the calls to can middleware from the constructor and replace it with a call to authorize in the action.
You controller should be like this:
public function __construct()
{
$this->middleware('auth');
}
public function index()
{
$this-authorize('index'); // This will check for authorization
$users = User::paginate(5);
return view('users.index')
->with('users', $users);
}
public function show($id)
{
$user = User::findOrFail($id);
$this->authorize('view', $user);
return view('users.show')
->with('user', $user);
}
Also, no need for the temprory variable in your policy class.
public function index(User $user)
{
// only a chief editor can view all users
return $user->role->name === 'Chief Editor'
}
public function view(User $user, User $model)
{
// only a chief editor or user(who owns the user) can view the user
return $user->role->name === 'Chief Editor' || $user->id === $model->id)
}
As a side note, in your show action, Why don't you use implicit route model binding? It would be much cleaner.
// web.php
Route::get('users/{user}', 'UserController#show');
// UserController.php
public function show(User $user)
{
$this->authorize('view', $user);
return view('users.show', compact('user');
}

laravel route and controller

i am a new laravel user and a have admin page which doing update delete and insert my problem is i dont know how to call this functions in route.
Note: all this options working on one page (admin).
so please can anyone help me ?!
namespace App\Http\Controllers;
use Illuminate\Http\Request;
use App\Http\Requests;
use DB;
class BlogPostController extends Controller
{
/**
* Display a listing of the resource.
*
* #return Response
*/
public function index(){
$date = date('Y-m-d');
$time = time('H:i:s');
/*$sections = ['History' => 'history.png','Electronics' => 'electronics.png','Electrical' => 'electrical.png','Science' => 'science.png',
'Art'=>'ARt.png','Database'=>'database.png','Irrigation'=>'irrigation.png','Novel'=>'Novel.png','Style'=>'Stsyle.png'];
*/
$sections = DB ::table('sections')->get();
return view('libraryViewsContainer.library')->withSections($sections)->withDate($date)->withTime($time);
}
/**
* Show the form for creating a new resource.
*
* #return Response
*/
public function create(){
//return View::make('posts.create');
return '<center><h1>Creating new section in the library!</h1></center>';
}
/**
* Store a newly created resource in storage.
*
* #return Response
*/
public function store( Request $request){
$section_name = $request->input('section_name');
$file = $request->file('image');
$destinationPath = 'images';
$filename = $file->getClientOriginalName();
$file->move($destinationPath,$filename);
DB ::table('sections')->insert(['section_name'=>$section_name,'image_name'=>$filename]);
return redirect('admin');
}
/**
* Display the specified resource.
*
* #param int $id
* #return Response
*/
public function show($id){
// $post = Post::find($id);
// return View::make('posts.show')->with('post', $post);
}
/**
* Show the form for editing the specified resource.
*
* #param int $id
* #return Response
*/
public function edit($id){
// $post = Post::find($id);
// return View::make('posts.edit')->with('post', $post);
}
/**
* Update the specified resource in storage.
*
* #param int $id
* #return Response
*/
public function update($id,Request $request){
$section_name = $request->input('section_name');
DB ::table('sections')->where('id',$id)->update(['section_name'=>$section_name]);
return redirect('admin');
}
/**
* Remove the specified resource from storage.
*
* #param int $id
* #return Response
*/
public function destroy($id){
DB :: table('sections')->where('id',$id)->delete();
return redirect('admin');
}
public function admin()
{
$sections = DB ::table('sections')->get();
return view('libraryViewsContainer.admin',['sections'=>$sections]);
}
}

Not entirely sure of the question, but you list the routes in routes.php, under the web group (so it applies default checks).
When you have resources, they'll use CRUD operations (create, read, update, delete) and will correspond to the default operates in the class. Else, make your own function names, and put seperate routes.
Route::group(['middleware' => ['web', 'auth']], function () {
Route::resource('/user', 'UserController');
}
Another option is calling the method direct in your routes:
Route::get('/auth/login', '\App\Http\Controllers\Auth\AuthController#getLogin');
Route::any('/datafeed/{id}/validate', 'DataFeedController#validateQuery');
You'll notice {id} which is the variable available in the function you've selected i.e. function validateQuery($id);
Here's a full example:
class UserController extends BaseController
{
public function __construct(User $model)
{
parent::__construct($model);
}
/**
* Display a listing of the resource.
*
* #return \Illuminate\Http\Response
*/
public function index()
{
$collection = $this->model->all();
return view('user.index')->with('collection', $collection);
}
/**
* Show the form for creating a new resource.
*
* #return \Illuminate\Http\Response
*/
public function create()
{
return view('user.create');
}
/**
* Store a newly created resource in storage.
*
* #param \Illuminate\Http\Request $request
* #return \Illuminate\Http\Response
*/
public function store(Request $request)
{
$input = Input::except(['_method', '_token']);
$connector = $this->model->create($input);
return redirect()->action('UserController#show', [$connector->id]);
}
/**
* Display the specified resource.
*
* #param int $id
* #return \Illuminate\Http\Response
*/
public function show($id)
{
$connector = $this->model->findOrFail($id);
return view('user.show')->with('connector', $connector);
}
/**
* Update the specified resource in storage.
*
* #param \Illuminate\Http\Request $request
* #param int $id
* #return \Illuminate\Http\Response
*/
public function edit($id)
{
$connector = $this->model->findOrFail($id);
return view('user.edit')->with('connector', $connector);
}
/**
* Show the form for editing the specified resource.
*
* #param int $id
* #return \Illuminate\Http\Response
*/
public function update(Request $request, $id)
{
$input = Input::except(['_method', '_token']);
$connector = $this->model->findOrFail($id);
$connector->update($input);
return redirect()->action('UserController#show', [$id]);
}
/**
* Remove the specified resource from storage.
*
* #param int $id
* #return \Illuminate\Http\Response
*/
public function destroy($id)
{
$currentID = Auth::user();
$user = $this->model->findOrFail($id);
if ($currentID->id != $user->id) {
$user->delete();
} else {
Session::flash('flash_message', "You cant delete your own account!");
Session::flash('flash_type', 'alert-danger');
}
return redirect()->action('UserController#index');
}
And another example with a custom route:
Route::any('/datafeed/{id}/execute', 'DataFeedController#execute');
public function execute($id, $test = false) {
$results = $this->executeQuery($id, $test);
return view('datafeed.execute')->with('results', $results);
}

I'm not entirely sure on your plans (or even if you've fully read the documentation?) but you can access these functions by doing something similar to the following in your routes.php or Routes\web.php (depending on your version) file:
Route::get('/blog/create', 'BlogPostController#create');
Route::get('/blog/article/{id}', 'BlogPostController#show');
The first part is defining the route and the second part is saying what method should be run on the defined controller when this route is matched in the address bar. It doesn't always have to be get requests though, you can do get, post, patch and put

Laravel: Can't get post form

Me and my partner have been working a combined period of almost 11 hours trying to figure this out but we just can't seem to crack it.
We're building a web forum application in which users are able to make their own threads. We managed to get edit to work, although redirect still doesn't work right yet. We have an online preview over at http://detune-niuwang.c9users.io/
If you try using the 'New Thread' page and click on the submit button, it will just delete anything typed into the form and checking back on the Frontpage, no threads would have been created. The Edit functionality works though.
Here are some snippets of our code:
Routes.php
Route::resource('posts', 'Channel\Post\Posts');
Route::get('/', 'Channel\Post\Posts#index');
Controllers\Channel\Post\Posts.php
/**
* Show the form for creating a new post.
*
* #return Response
*/
public function create()
{
return view('posts.create');
}
/**
* Store the newly created post
*
* #param PostRequest $request
* #return Response
*/
public function store(PostRequest $request)
{
$postData = $this->post->create(['title', 'content']);
if($this->post->create($postData)) {
return redirect()->back()->withSuccess('Post successfully created.');
}
return redirect()->back()->withError($postData);
}
create.blade.php
#extends('_shared.master')
#section('title')
Create New Post
#endsection
#section('content')
<div class="panel panel-default">
<div class="panel-heading">New Thread</div>
<div class="panel-body">
{!! Form::open(['route' => 'posts.store', 'class' => 'form-horizontal'])!!}
#include('posts.form')
{!! Form::close() !!}
</div>
</div>
#stop
Models\Channel\Post\Post.php
<?php
namespace Detune\Models\Channel\Post;
use Illuminate\Database\Seeder;
use Illuminate\Database\Eloquent\Model;
class Post extends Model
{
/**
* The database table used by the Model.
*
* #var string
*/
protected $table = 'posts';
/**
* The attributes that are mass assignable
*
* #var array
*/
protected $fillable = ['title', 'content', 'created_at'];
}
Repositories\PostRepository.php
<?php
namespace Detune\Repositories\Post;
use Detune\Models\Channel\Post\Post;
use Illuminate\Database\Eloquent\Collection;
/**
* Class PostRepository
* #Package Detune\Repository
*/
class PostRepository implements PostRepositoryInterface {
/**
* #var Post;
*/
protected $post;
/**
* #param Post $post
*/
public function __construct(Post $post)
{
$this->post = $post;
}
/**
* Create New Post
*
* #param array $postData
* #return Post|null
*/
public function create(array $postData)
{
return $this->post->create($postData);
}
/**
* Post Pagination
*
* #param array $filter
* #return collection
*/
public function paginate(array $filter)
{
return $this->post->paginate($filter['limit']);
}
/**
* Get Post by ID
*
* #param $id
* #return Post
*/
public function find($id)
{
return $this->post->find($id);
}
}
Repositories\PostRepositoryInterface.php
<?php
namespace Detune\Repositories\Post;
use Detune\Models\Channel\Post;
use Illuminate\Database\Eloquent\Collection;
/**
* Interface PostRepositoryInterface
* #package Detune\Repository
*/
interface PostRepositoryInterface {
/**
* Create New Post\
*
* #param array $postData
* #return Post
*/
public function create(array $postData);
/**
* Post Pagination
*
* #param array $filter
* #return collection
*/
public function paginate(array $filter);
/**
* Get Post by ID
* #param $post_id
* #return Post
*/
public function find($id);
}
Services\Post\PostService.php
<?php
namespace Detune\Services\Post;
use Detune\Services\Service;
use Illuminate\Contracts\Logging\Log;
use Illuminate\Support\ServiceProvider;
use Detune\Repositories\Post\PostRepositoryInterface;
/**
* Class PostService
* #package Detune\Services\Post
*/
class PostService extends Service {
/**
* #var PostRepositoryInterface
*/
protected $post;
/**
* #var Log
*/
protected $logger;
/**
* #param PostRepositoryInterface $post
* #param Log $logger
*/
public function __construct(PostRepositoryInterface $post, Log $logger)
{
$this->post = $post;
$this->logger = $logger;
}
/**
* Create New Post
*
* #param array $postData
* #return Post | null
*/
public function create()
{
try{
return $this->post->create($postData);
} catch (\Exception $e) {
$this->logger->error('Post->create: ' . $e->getMessage());
return null;
}
}
/**
* Post Pagination
*
* #param array $filter
* #return collection
*/
public function paginate(array $filter =[])
{
$filter['limit'] = 20;
return $this->post->paginate($filter);
}
/**
* Update the Post
*
* #param array $id
* #param array $postData
* #return bool
*/
public function update($id, array $postData)
{
try{
$post = $this->post->find($id);
$post->title = $postData['title'];
$post->content = $postData['content'];
return $post->save();
} catch (\Exception $e) {
$this->logger->error('Post->update: ' . $e->getMessage());
return false;
}
}
/**
* Delete Post
*
* #param $id
* #return mixed
*/
public function delete($id)
{
try {
$post = $this->post->find($id);
return $post->delete();
} catch (\Exception $e){
$this->logger->error('Post->delete: ' . $e->getMessage());
return false;
}
}
/**
* Get Post by ID
*
* #param $id
* #return Post
*/
public function find($id)
{
try {
return $this->post->find($id);
} catch (\Exception $e) {
$this->logger->error('Post->find: ' .$e->getMessage());
return null;
}
}
}
Any help with this are appreciated :)

The create method on an Eloquent model is normally a static method. In your code it seems to be called as if it's an instance method.
I believe you have (at least) 3 options.
Change your create call into an insert call. (I don't think this will return an instance of the Post model, just a boolean).
Call it statically Post::create($postData);
Use the newInstance method
$post = $this->post->newInstance($postData);
return $post->save() ? $post : null;