I would like to ask if it is possible to validate a href element in laravel.
For example, I'm having a bunch of people responses in my guest book and each user is able do delete his posts. I'm deleting it like this:
<div class="col-lg-2">
<ul class="list-unstyled trash">
<li>
<a href="/responses/{{$response->id}}">
<span onclick="alertDialog()" class="glyphicon glyphicon-trash"></span></a></li>
<li><button type="button" class="btn btn-danger btn-sm" data-toggle="modal" data-target="#{{$response->id}}">Edit</button></li>
</ul>
</div>
Unfortunately, every single user can change "/responses/{{$response->id}}"> id via browser developer tools and delete other user's responses. Is there any possible solutions to prevent this issue?
Just check the logged user before rendering that html section:
<div class="col-lg-2">
<!-- assuming post is your variable and user is a property which references the user who created the record -->
#if($post->user == Auth::id())
<ul class="list-unstyled trash">
<li>
<a href="/responses/{{$response->id}}">
<span onclick="alertDialog()" class="glyphicon glyphicon-trash"></span></a></li>
<li><button type="button" class="btn btn-danger btn-sm" data-toggle="modal" data-target="#{{$response->id}}">Edit</button></li>
</ul>
#endif
</div>
This way only the user who owns the post will be able to see the button in the html.
You need to use policies to check if the user that tries to delete a record is its owner:
public function delete(User $user, Model $model)
{
return $user->id === $model->user_id;
}
Or you can do it manually in a controller method:
if (auth()->id() === $model->user_id) {
// Delete the record
}
You should make /responses/{{$response->id}} a POST route and verify that the passed id matches with the authenticated users id. ( Auth::user()->id;)
I ended up checking like this in my destroy(id) method:
$count = Comment::where(['response_id' => $id])->count();
if (($responses->where('id',$id)->value('guests_email') == Cookie::get('email') && ($count==0)) || (Auth::check()))
Related
Before, I had a view called "book-edit/[ID]" to edit a book but now I added the form to edit the book in the book details page. I have a button to edit in the list of books page and I want it to go to the book page and open de edit modal on click. This is what I have rn:
View: Books (datatable list with this buttons for each):
<a href="<?php setURL(); ?>./book/<?php echo $autor->fields["id"]; ?>" class="btn btn-sm btn-clean btn-icon btn-icon-md" title="View Book">
<i class="fas fa-eye"></i>
</a>
<a href="<?php setURL(); ?>./copy-add/<?php echo $autor->fields["id"]; ?>" class="btn btn-sm btn-clean btn-icon btn-icon-md" title="Add Copy">
<i class="fas fa-plus"></i>
</a>
<a href="<?php setURL(); ?>./book-edit/<?php echo $autor->fields["id"]; ?>" class="btn btn-sm btn-clean btn-icon btn-icon-md" title="Edit Book">
<i class="fas fa-edit"></i>
</a>
View: Book/[ID] (I have modals with id "#editBookModal" and "#addCopyModal")
When you click on the books list to edit the book or add the copy, I want it to go to book/[ID] and automatically open the intended modal. But only when buttons clicked, if you go to Book/[ID] to view the book, it shouldn't open the modals automatically. That's why I can't just open it with jquery in the book/[ID] page...
Any idea of how I can do this?
Thanks!
One approach would be add hashes to the url in the links like:
....
Then on the other page check the url hash and if it matches a modal then open that modal
const modalHashes = {
'#edit-book':'#editBookModal',
'#copy-book' : '#addCopyModal'
}
let hash = window.location.hash;
// inside document.ready and after modal script has loaded
if(hash && modalHashes[hash]){
const modalSelector = modalHashes[hash];
$(modalSelector).yourModalShowMethod()
}
You could even remove the hash when the modal gets closed so if user refreshes the page it won't pop up again
// in modal close event handler
window.location.hash =''
Please what am I doing wrong, Paymentdetails refuse to delete instead, its loading server error.There's something wrong with my code.
This is my controller
public function destroy(Paymentdetail $paymentdetail)
{
// dd($id);
if(Auth::user()->role_id == '1'){
$this->paymentdetails->delete($paymentdetail->id);
event(new Deleted($paymentdetail));
return redirect()->route('paymentdetails.index')
->withSuccess(__('Payment details deleted successfully.'));
}
else{
return redirect()->back()
->withErrors(__('Sorry! You Are Not Authorized To Delete Payment Details.'));
}
}
index.blade
<a href="{{ route('paymentdetails.edit', $paymentdetail) }}"
class="btn btn-icon edit"
title="#lang('Edit Paymentdetail')"
data-toggle="tooltip" data-placement="top">
<i class="fas fa-edit"></i>
</a>
<a href="{{ route('paymentdetails.destroy', $paymentdetail) }}"
class="btn btn-icon"
title="#lang('Delete Paymentdetail')"
data-toggle="tooltip"
data-placement="top"
data-method="DELETE"
data-confirm-title="#lang('Please Confirm')"
data-confirm-text="#lang('Are you sure that you want to delete this payment details?')"
data-confirm-delete="#lang('Yes, delete details!')">
<i class="fas fa-trash"></i>
</a></a>
Moved my answer from comments"
$this->paymentdetails->delete($paymentdetail->id);
seems over-engineered and confusing
$paymentdetail is instance of Paymentdetail and it extends Laravel Model. As it is instance of model - it knows how to find itself in DB therefore you can call
$paymentdetail->delete();
and instance will delete itself
First check your request method,it should be Get method.
iF method is Get then is it redirecting to given function?
You should on debug mod of laravel which gives you proper error.
Another thing check is user authenticated?
I'm using the friendship package by hootlex but I'm not quite sure how I get the user information (username etc.) when I'm getting all friend requests and displaying them in a foreach loop.
Basically what I have done is this, to return the view:
/**
* #return mixed
*
* View friend requests
*/
public function getFriendRequests() {
$user = Auth::user();
return view('friends.requests')
-> with([
'profile' => $user -> profile,
'user' => $user,
'received_requests' => $user -> getFriendRequests(),
'sent_requests' => $user -> getPendingFriendships()
]);
}
And then in my view:
<div class="block block-green">
<div class="block-head">
<h4><i class="fa fa-fw fa-exclamation-circle"></i>Venneforespørsler ({{ count($received_requests) }})</h4>
</div>
<div class="block-body">
#foreach ($received_requests as $rr)
<div class="request">
<div class="thumb">{{-- PROFILE THUMB HERE --}}</div>
<div class="username">{{-- SENDERS USERNAME HERE --}}</div>
<div class="actions">
<form method="post" action="/friends/request/accept/{{ $rr -> id }}">
<button type="submit" class="btn btn-success"><i class="fa fa-fw fa-check"></i>Aksepter</button>
</form>
<form method="post" action="/friends/request/deny/{{ $rr -> id }}">
<button type="submit" class="btn btn-danger"><i class="fa fa-fw fa-times"></i>Avslå</button>
</form>
</div>
</div>
#endforeach
</div>
</div>
So basically what I'm wondering, how would I get the username / other information from the User model on each friend request?
Thanks in advance.
Your $rr variable contains an object of class Hootlex\Friendships\Models\Friendship - you can see its source code here: https://github.com/hootlex/laravel-friendships/blob/master/src/Models/Friendship.php.
As you can see, this model allows you to access both sender and recipient of given friend request via properties of the same name.
Therefore, in order to get username of the sender, you'll need to access it with:
$rr->sender->username
I have CI framework and user, group permission control applied in controller,
But how can i apply restriction in some buttons, links, etc in view?
Example, below is code for new, edit, delete buttons, if i want to disble\hide this buttons
<button type="button" class="btn blue" id="new_group_showbtn"><i class="fa fa-plus"></i> New</button>
<button type="button" class="btn purple" id="edit_group_showbtn"><i class="fa fa-edit"></i> Edit</button>
<button type="button" class="btn yellow" id="delete_group_btn"><i class="fa fa-trash"></i> Delete</button>
I used control over controller as below
if($this->mylib->access('testcontrol'))
{
\\code.....
} //Access control END
How can i put such control over views? I am not echoing views, but loading pure html as view,
Can be done with passing some variables? How?
Thanks,
Try like this,
Store the user type in session on ligin(like admin, subadmin,...)
Suppose i want to show a button by name create sub admin only to user, i would do like this,
<?php if($this->session->userdata("user_type") == "admin") { ?>
<button>Add Sub Admin</button>
<?php } ?>
something like this.
Since session variables are global variables you can use them across any pages( even in views).
So while you allowing user to login,
set one session variable to appropriate value according to user type.
may be something like this
$this->session->set_userdata('privilege', 'user');
$this->session->set_userdata('privilege', 'manager');
then in the view,
you can check them like,
<html>
<body>
<div>
<?php if($this->session->userdata("privilege") == "manager") { ?>
<button type="button" class="btn yellow" id="delete_group_btn"><i class="fa fa-trash"></i> Delete</button>
<?php } ?>
</div>
.
.
.
</body>
<html>
above code only display the delete button to the user type manager.
like that you can check the condition.
Hey guys I am a little confused, I have a listing page that displays all of my rows in my SQL table.
An example of what I am developing can be seen here: http://www.drivencarsales.co.uk/used-cars.php
So as you can see I have developed a listing page that fetches all of the table rows, each row is equivalent to one vehicle.
I now want to let users filter the results using the form to the left, I was going to use AJAX originally however I feel as if it would take way to long to learn how to develop it that way.
Here is the code setup I am using to achieve the example I have shown:
<?php
include('database.php');
try {
$results = $db->query("SELECT Make, Model, Colour, FuelType, Year, Mileage, Bodytype, Doors, Variant, EngineSize, Price, Transmission, PictureRefs, ServiceHistory, PreviousOwners, Options, FourWheelDrive FROM import ORDER BY Make ASC");
} catch (Exception $e) {
echo "Error.";
exit;
}
try {
$filterres = $db->query("SELECT DISTINCT Make FROM import ORDER BY Make ASC");
} catch (Exception $e) {
echo "Error.";
exit;
}
?>
As you can see the first block of code has two SQL selectors, the $results is used to fetch the whole table and list all vehicles.
The second block is used to display the 'Make' column for the form.
This block of code is the actual form:
<form>
<select class="form-control select-box" name="">
<option value="make-any">Make (Any)</option>
<?php while($make = $filterres->fetch(PDO::FETCH_ASSOC))
{
echo '
<option value="">'.$make["Make"].'</option>
';
} ?>
</select>
<button href="#" class="btn btn-block car-search-button btn-lg btn-success"><span class="glyphicon car-search-g glyphicon-search"></span> Search cars
</button>
</form>
As you can see this block is using a while loop to display all of the 'Make's' in the 'Make' column and uses a DISTINCT clause so that it doesn't show identical options.
Here is the block that lists the results to the page:
<?php while($row = $results->fetch(PDO::FETCH_ASSOC))
{
echo '
<div class="listing-container">
<h3 class="model-listing-title clearfix">'.$row["Make"].' '.$row["Model"].' '.$row["Variant"].'</h3>
<h3 class="price-listing">£'.number_format($row['Price']).'</h3>
</div>
<div class="listing-container-spec">
<img src="'.(explode(',', $row["PictureRefs"])[0]).'" class="stock-img-finder"/>
<div class="ul-listing-container">
<ul class="overwrite-btstrp-ul">
<li class="diesel-svg list-svg">'.$row["FuelType"].'</li>
<li class="saloon-svg list-svg">'.$row["Bodytype"].'</li>
<li class="gear-svg list-svg">'.$row["Transmission"].'</li>
<li class="color-svg list-svg">'.$row["Colour"].'</li>
</ul>
</div>
<ul class="overwrite-btstrp-ul other-specs-ul h4-style">
<li>Mileage: '.number_format($row["Mileage"]).'</li>
<li>Engine size: '.$row["EngineSize"].'cc</li>
</ul>
<button href="#" class="btn h4-style checked-btn hover-listing-btn"><span class="glyphicon glyphicon-ok"></span> History checked
</button>
<button href="#" class="btn h4-style more-details-btn hover-listing-btn tst-mre-btn"><span class="glyphicon glyphicon-list"></span> More details
</button>
<button href="#" class="btn h4-style test-drive-btn hover-listing-btn tst-mre-btn"><span class="test-drive-glyph"></span> Test drive
</button>
<h4 class="h4-style listing-photos-count"><span class="glyphicon glyphicon-camera"></span> 5 More photos</h4>
</div>
';
} ?>
So down to my question... How can I filter these results displayed in the listing block using the select element, when a user selects a 'Make' from the select element I want them to be able to submit the form and return all rows in the SQL table containing the same 'Make' string and hide other rows that are false.
Any ideas how I can achieve this or any easier ways?
Thanks
My best guess is for you to use JS to submit the form again, when select-option is selected, with a parameter stating the model.
Then in your PHP file, you should look for that parameter and edit the query-string accordingly.
see this answer on how to submit a form when option is selected.
This answer will show you how to handle parameters in PHP (using GET method)