The user A logged in with the role "admin". User B logged in as role "LimitedUser" on same web portal.
User A changes the permissions for use B. Both of them are on same page, i.e "Attach Permission to Role Page". User A disallows user B to access the page, and when User A submits the form, User B refreshes their page and gets the session of User A. This happens only if User A submits the form and User B redirects the page at the same time.
Laravel Version: 5.6
Entrust for Role Management
Session: File Based
Here's the code.
function updatePermissions(Request $request)
{
if (!hasRole('SuperAdmin') && !userCan('attach_permissions')) {
abort('404');
}
$roleId = $request->input('role_id');
$permIds = $request->input('perm');
$role = Role::where('id', '=', $roleId)->first();
if (!$role) {
abort('404');
}
if ($permIds == null) {
$role = Role::findOrFail($roleId);
$role_permissions = $role->perms()->get();
//print_r($role_permissions);exit;
$rolePermIds = array();
foreach ($role_permissions as $permission) {
$rolePermIds[] = $permission->id;
}
$role->perms()->detach($rolePermIds);
} else {
/*$role->perms()->sync(array_keys($permIds));*/
$permissions_new = (array_keys($permIds));
RolePermission::where('role_id', '=', $roleId)->forceDelete();
foreach ($permissions_new as $item) {
$r = new RolePermission();
$r->role_id = $role->id;
$r->permission_id = $item;
$r->save();
}
}
return redirect()->back();
}
there are several ways to solve this, one of them is to do Middleware in Laravel. https://laravel.com/docs/5.7/middleware#defining-middleware
Another way, creating Policies and Gates
https://laravel.com/docs/5.7/authorization#gates
In the your case, middleware can solve.
Related
In my laravel application I have two user tyoes, admins and general users.
I have implemented function for users to download their certificates.
For that I got following function inside my controller
public function index(string $locale, CertificateUser $certificateUser)
{
$this->authorize('downloadCertificate', [Institute::class, $certificateUser, $institute]);
try {
return Storage::download($certificateUser->certificate_url);
} catch (FileNotFoundException $exception) {
return redirect()->back()->withErrors(__('Certificate could not be found.'));
}
}
now I want to execute this
$this->authorize('downloadCertificate', [Institute::class, $certificateUser, $institute]);
only if the logged in user's user role is an admin...
How can I get the current logged in User's user role from here?
> $user_role = Auth::user()->role;
> if($user_role == 'admin'){
> // You code Here
> $this->authorize('downloadCertificate', [Institute::class, $certificateUser, $institute]); } What's the issue ?
.Also Share you
User Model Here
Other Ways ....
if($user->hasRole->name('Admin'))
$user_roles = Auth::user()->roles()->get();
Now You can loop through $user_roles ..
I am trying to query our database to see if users can log in based on whether the organisation they belong to have logins enabled.
LoginController.php
protected function redirectTo()
{
$user = Auth::user()->id;
$userOrg = UserOrganization::where('user_id', $user)->first();
$org = Organization::where('id', $userOrg->org_id)->first();
if ($org->allow_org_login == 0) {
return '/login';
} else {
if(Auth::user()->has_changed_temp_password == false)
{
DB::table('users')->where('id', $user)->update(['last_login' => Carbon::now()]);
DB::table('users')->where('id', $user)->increment('total_logins');
return '/user/password/change';
} else {
DB::table('users')->where('id', $user)->update(['last_login' => Carbon::now()]);
DB::table('users')->where('id', $user)->increment('total_logins');
return '/overview';
}
}
}
trying to log in as a user belonging to an organisation with allow_org_login = 0 should redirect to the '/login' page, but instead it either logs the user in or prompts for a password change for a new user.
What am I doing wrong?
Edit: Debug contents of $org (allow_org_login on the bottom line)
since there is many to many relation between user and organization.
i suppose this relation is defined in User & Organization as in documentation:
https://laravel.com/docs/7.x/eloquent-relationships#many-to-many
considering that:
user may have more than an organization, and if any of the organization allowed log_in the user should login to your system
$user = Auth::user();
$userOranization=$user->organizations()->get();
$allowUserToLogin=false;
if($userOranization->where('allow_org_login',1)->first()!=null)
$allowUserToLogin=true;
and then:
if ($allowUserToLogin == 0) {
return '/login';
} else { ....
for redirectTo() method it will only fire when we using POST method for login.
inside you redirectTo() method your check condition and then you return '/login';
which it will redirectTo login page. but this time you already login then on login it will check if user login then it redirectTo url that we config on LoginController and protected $redirectTo; it will not call redirectTo() method. cuz this time we use redirect using GET method not POST.
if you want to put validate on redirectTo() method you can try below code:
protected function redirectTo()
{
$user = Auth::user()->id;
$userOrg = UserOrganization::where('user_id', $user)->first();
$org = Organization::where('id', $userOrg->org_id)->first();
if ($org->allow_org_login == 0) {
Auth::logout(); // logout user before redirect
return '/login';
} else {
if(Auth::user()->has_changed_temp_password == false)
{
// depend on you choice need to logout or not
DB::table('users')->where('id', $user)->update(['last_login' => Carbon::now()]);
DB::table('users')->where('id', $user)->increment('total_logins');
return '/user/password/change';
} else {
// depend on you choice need to logout or not
DB::table('users')->where('id', $user)->update(['last_login' => Carbon::now()]);
DB::table('users')->where('id', $user)->increment('total_logins');
return '/overview';
}
}
}
but for my option i will create new middleware for handle this.
I can't find out how to determine user role in voyager. I am trying to do some policy check based on user role like this:
public function browse(User $user)
{
$user->role == 'admin';
}
But this returns false (This action is unauthorized.) even for user with role admin.
I am using laravel 5.6 and voyager 1.1.3
There is no role or role_name in users table in voyager. I have to use role_id
public function browse(User $user)
{
if ( $user->role_id == 1 ) {
return true;
} else {
return false;
}
}
Is there any way I can use role name?
I have made a middleware for admins
And I applied it in my routes.
So the problem when the user is admin he can go to users page and change his permissions and the page keeps redirecting and breaks when he clicks change permission to his profile :
ERR_TOO_MANY_REDIRECTS
my method to change user to admin :
public function admin($id){
$user = User::findOrFail($id);
$user->admin = 1;
$user->save();
session()->flash('success','Changed to admin');
return redirect()->back();
}
And to change user to Author :
public function notAdmin($id){
$user = User::findOrFail($id);
$user->admin = 0;
$user->save();
session()->flash('success','Changed to Normal');
return redirect()->back();
}
So how I can prevent the logged in user from changing his permissions?
I'm really confused about this.
Thank you
Redirect the user if he tries to change his own permissions by using
Auth->id() and comparing with $id so that if these things match then he is trying to change his own permission.
public function admin($id){
if(Auth->id() == $id) {
session()->flash('error','Permission denied');
return redirect()->back();
}
$user = User::findOrFail($id);
$user->admin = 1;
$user->save();
session()->flash('success','Changed to admin');
return redirect()->back();
}
I have the following two actions in my controller:
function add()
{
if (!empty($this->data))
{
if ($this->Favour->save($this->data))
{
$this->Session->setFlash('Your favour has been saved.');
$this->redirect(array('controller'=>'favours','action'=>'index'));
}
}
}
function edit($id = null)
{
$this->Favour->id = $id;
if (empty($this->data))
{
$this->data = $this->Favour->read();
}
else
{
if ($this->Favour->save($this->data))
{
$this->Session->setFlash('Your favour has been updated.');
$this->redirect(array('controller'=>'favours','action'=>'index'));
}
}
}
1) I want to be able to add the logged in user id to the add action so that the new post is created with that user as its author id (their is a foreign key in the db table). I'm not sure how to talk to fields within the controller itself.
2) And for the edit action I want to make it so that only the author can edit the post so for example user 200 creates post 20 but user 100 cannot edit this post because his id is not 200! I'm not using ACL for my app but just simple authentication.
I've thought about doing a simple if statement in the action like:
function edit($id = null)
{
$this->Favour->id = $id;
$this->Favour->user_id = $user_id;
if($this->Auth->user('id') != $user_id)
{
$this->Session->setFlash('You do not have permission to edit that favour!');
$this->redirect(array('controller'=>'favours','action'=>'index'));
}
else
{
if (empty($this->data))
{
$this->data = $this->Favour->read();
}
else
{
if ($this->Favour->save($this->data))
{
$this->Session->setFlash('Your favour has been updated.');
$this->redirect(array('controller'=>'favours','action'=>'index'));
}
}
}
Would this be correct? BUT how do I get the user id from the favour?
function add() {
if (!empty($this->data)) {
$this->data['Favour']['user_id'] = $this->Auth->user('id');
if ($this->Favour->save($this->data)) {
//etc
This code assumes:
Your user is logged in
the user can access the add function
You are storing the id value of the logged in user in the field id
You have a foreign key in Favours table called user_id that matches the data type of the user id
As for edit; couple ways of achieving it.
I'd do:
function edit($id) {
$this->Favour->id = $id;
$favour_author = $this->Favour->field('user_id');
// get the user of this post
if($this->Auth->user('id') != $favour_author) {
$this->Session->setFlash('You do not own this post.');
$this->redirect('/someplace');
}
if (empty($this->data)) {
$this->data = $this->Favour->read();
}
// carry on.
If you use Auth Component, you can access the logged-in user record in $this->Auth->user() in controller. So to access the id: $this->Auth->user('id'). If you write your own authentication, it's up to you.
how to talk to fields within the controller itself.
What do you mean?