I want to be able to restrict users to only be able to see their own profiles in my laravel project. So when a user wants to access their profile, they would go to the url followed by /userprofile/{id}. But as of right now, any user can type in the specific id of a different user and access their profile. So if I'm logged in as the first user to register, I would have an id of 1. But I only want to be able to access my profile. If I try to type in id 2 or 3 in the url I want it to kick me back to the homepage. Any idea how I could accomplish this? Using some sort of middleware perhaps?
<?php
namespace App\Http\Controllers;
use Illuminate\Http\Request;
use App\Http\Requests;
use DB;
use App\User;
use App\Salutation;
use App\Http\Requests\UserRequest;
use Auth;
class HomeController extends Controller
{
public function index(){
$users_info = User::all();
return view('userprofile.index', compact("users_info"));
}
public function show($user_info){
$user_info = User::find($user_info);
return view('userprofile.show', compact("user_info"));
}
public function create(){
return view('userprofile.create');
}
public function store(UserRequest $request){
$formData = $request->all();
User::create($formData);
return redirect('userprofile');
}
public function edit($user_info) {
$user_info = User::findOrFail($user_info);
return view('userprofile.edit', compact("user_info"));
}
public function update(UserRequest $request, $user_info){
$formData = $request->all();
$user_info = User::findOrFail($user_info);
$user_info->update($formData);
return redirect('userprofile');
}
public function __construct(){
$this->middleware('auth', ['only' =>['create', 'edit',
'destroy']]);
}
}
just compare the current user with param id
example:
public function getProfile(Request $request, $id)
{
if(Auth::id() == $id) {
// valid user
$user_info = Auth::user();
return view('userprofile.show', compact("user_info"));
} else {
//not allowed
}
}
Related
So if a user wants to edit their own ticket they can do it from a form. But if they change the ID in the form, they can also edit another user's ticket. How do I prevent this?
public function edit(Ticket $ticket)
{
$user = request()->user()->ticket()->get();
if ($ticket === $user){
return view('users.tickets.edit',['ticket' => $ticket,]);
}
else{
abort(403);
}
}
It automatically pick abort 403
This is the user Model
public function ticket(){
return $this->belongsToMany(Ticket::class, 'ticket_user');
}
This is the ticket model
public function users() {
return $this->belongsToMany(User::class, 'ticket_user');
}
The logic itself could look like this:
$ticket->users->contains($request->user())
In your controller it could look like this:
use Illuminate\Http\Request;
public function edit(Request $request, Ticket $ticket)
{
if (! $ticket->users->contains($request->user())) {
return abort(403);
}
return view('users.tickets.edit', [
'ticket' => $ticket
]);
}
Docs for Collection::contains.
I suggest looking into how you could exclude your authorisation logic into gates and policies.
The right implementation for me looks like this.
The models:
*User
id
...
*Ticket
id
...
UserTicket
*id
*ticket_id
*user_id
When you create a ticket you have to create a new UserTicket for any user is able to edit the ticket.
Then you check if there is a record in UserTicket that has the user_id.
For example:
The Ticket model
public function users()
{
return $this->hasManyThrough(UserTicket::class, User::class);
}
And the edit controller
public function edit(Ticket $ticket)
{
$currentUser = request()->user();
$ticketUsers = $ticket->users;
// loop each ticketUser and check their id == $currentUser->id
}
We know that laravel has an update () method that updates records using the http "put" method. But I do not know how to create an edpoint in which I will be able to modify the email.
namespace App\Http\Controllers;
use Illuminate\Http\Request;
use App\User;
class UserController extends Controller
{
public function index()
{
return response()->json([
'name' => 'Abigail',
'state' => 'CA'
]);
}
public function store(Request $request)
{
$user = new User();
$user->name = $request->get("name");
$user->email = $request->get("email");
$user->password = $request->get("password");
$user->save();
return response()->json($user->toArray(), 200);
}
public function show($id)
{
//
}
public function edit($id)
{
//
}
public function update(Request $request, $id)
{
//
}
public function destroy($id)
{
//
}
}
And my route:
<?php
use Illuminate\Http\Request;
Route::middleware('auth:api')->get('/user', function (Request $request) {
return $request->user();
});
Route::post('v1/users/create', 'UserController#store');
RESTful APIs made by me tests in Postman. Help me somebody
Looking at your question, I think you need to create a route to link to update method in your controller same way you created a post for creating user.
Route::put('v1/users/client/{id}', 'UserController#update);
OR you can use laravel predefined code to create all CRUD routes.
Route::resource('v1/users/client', 'UserController').
To view all the routes created, use
php artisan route:list
Have a further study on this.
I have a table sites with list of sites with following columns ('id', 'path', 'site_link'). I've written in a Site model public $timestamps = false; so that it won't try to work with time what I don't need.
Also I have the following routes
$api = app('Dingo\Api\Routing\Router');
$api->version('v1', function ($api) {
$api->get('sites', 'App\Http\Controllers\SiteController#index');
$api->get('sites/{site}', 'App\Http\Controllers\SiteController#show');
});
The first one is working fine and returning all the data, however the second one is returning just [].
I have a controller which is below
namespace App\Http\Controllers;
use Illuminate\Http\Request;
Use App\Site;
class SiteController extends Controller
{
public function index()
{
return Site::all();
}
public function show(Site $site)
{
return Site::findOrFail($site);
}
public function store(Request $request)
{
$site = Site::create($request->all());
return response()->json($site, 201);
}
public function update(Request $request, Site $site)
{
$site->update($request->all());
return response()->json($site, 200);
}
public function delete(Site $site)
{
$site->delete();
return response()->json(null, 204);
}
}
The show method in your SiteController is taking a Site object. However the route is set up to only take the siteId. The code below should work for you based on how you've set up your routes.
public function show($site)
{
return Site::findOrFail($site);
}
Apply same to all your other controller methods since you want pass the site id via the url to the controller methods.
i created a UserController.php
use App\User;
//
class UsersController extends Controller
{
//
public function edit($id, User $user){
$user = $user->find($id);
return view('admin.user.edit' , compact('user'));
}
//
}
And edit views
but when i want to access to this url
url('/users/'. $user->id .'edit')
i got this error
Error edit() must be an instance of App\User, none given
!?
Make sure your route is like:
Route::get(/users/{id}/edit', 'UsersController#edit');
Then use it as:
url('/users/'. $user->id .'/edit');
or
url("/users/{$user->id}/edit");
And then your controller should be as:
public function edit($id) {
$user = User::find($id);
return view('admin.user.edit' , compact('user'));
}
The error says that the edit() function expects $user_id and User instance but you're only providing $user_id. If that's the case your code should look like this:
public function edit($id){
$user = User::find($id);
return view('admin.user.edit' , compact('user'));
}
Hi on my website I have profile with username parameter root/user/{username}. I was planning to add button to block the user. My problem is that when other user click block button, the button do stuffs in the Check.php controller but it doesn't pass the user/{username} parameter that I need in if statements. My question is how I can pass the {username} parameter from my user.blade.php to the Check.php controller?
As we are not seeing any code here, it seems that to do what you need, you just have to create a route pointing to your controller method and eventually a route to redirect your users when successufully blocked:
Route::get('user/block/{username}', 'BlockUserController#block');
Route::get('userBlocked', 'BlockUserController#blocked');
And the controller itself:
class BlockUserController extends Controller {
public function block($username)
{
$user = User::where('username', $username);
$user->blocked = true;
$user->save();
return Redirect::to('userBlocked');
}
public function blocked($username)
{
return View::make('user.blocked');
}
}
And then if you click the button pointing to the route:
http://application.com/user/block/user3398940
It will be blocked.
If you want to go a little more advanced in Laravel, you can use dependency injection and remove some code from your controller:
class BlockUserController extends Controller {
private $user;
public function __construct(User $user)
$this->user = $user;
}
public function block($username)
{
if ($user->block($username))
{
return Redirect::to('userBlocked');
}
return Redirect::back()->with('message', 'User not found');
}
public function blocked($username)
{
return View::make('user.blocked');
}
}
And your user model would have to have a block method:
class User extends Eloquent {
public function block($username)
{
if ($user = $this->newQuery()->where('username', $username))
{
$user->blocked = true;
return $user->save();
}
return false;
}
}