I had implemented entrust for roles and permissions. I have 3 Roles, super-admin, admin and customer.
Super Admin has access to Web-app (eg. www.myurl.com)
Admin has access through api only i.e. mobile app (eg. www.myurl.com/api/login) via api.php route
customer had access through api i.e. mobile app
Now, I found a bug that when admin tries to login via www.myurl.com.login with his credentials he is allowed to log in!!!
On further investigating, I found that I need to change the login method and provide role check while login, but I'm unable to get through. I changed the login function as below, but still admin and customers are able to login!!
public function login(Request $request)
{
$this->validateLogin($request);
if ($this->hasTooManyLoginAttempts($request)) {
$this->fireLockoutEvent($request);
return $this->sendLockoutResponse($request);
}
//I updated the following code of default login function.
$checkAdmin = $this->attemptLogin($request);
$isAdmin = Auth::user();
if ( $checkAdmin && $isAdmin->hasRole('super')) {
//With super-admin if I do dd('hi') here, I am getting control
return $this->sendLoginResponse($request);
}
//But for other roles, it is directly taking them to the super-admin (home) page!!
.
. //Rest of the login function...
I tried to make dd(1) to know the flow, but for super-user I got dd response while for other user, it was not going in that block and redirecting non-super-admin roles to home page!!
I am using Laravel 5.4 and entrust package for Roles.
Related
I currently can't pinpoint which solution is best in the following situation.
I need 2 different accounts namely: Customer and Admin.
However, both account types have different login Credentials i.e.
Admin logs in using email and password.
Customer logs in using username and customerCode.
I am currently using Laravel 8 with Jetstream.
I also created separate user models which both inherit Users Model, which is created automatically by JetStream
Is there a way where I can use different log in credentials for 2 different account types please? If so, what's the best way to go about this.
Thanks in advance.
Set up different auth guards, e.g. users and admin. This way, you can have separate login
https://laravel.com/docs/master/authentication#adding-custom-guards
You can specify which guard to use for relevant parts of your application. This could be done using route middleware, and you can set a default in config/auth.php
e.g.
use Illuminate\Support\Facades\Auth;
Auth::shouldUse('admin');
// or
Auth::guard('admin')->login(...);
// or
Auth::guard('users')->attempt($request->only('username', 'customer_code'));
Auth::guard('admin')->attempt($request->only('email', 'password'));
You can extend FortifyServiceProvider class and in boot method define your logic based on user role. This is a simple example.
public function boot()
{
// authenticate user using email or phone number
Fortify::authenticateUsing(function (Request $request)
{
$user = User::where('email', $request->username)
->orWhere('phone', $request->username)->first();
->orWhere('username', $request->username)->first();
if ($user &&
Hash::check($request->password, $user->password)
) {
return $user;
}
});
}
I am using Laravel make:auth command and email verification of user. Now facing an issue that when any one visiting my web site the authentication will raise and redirect user to login page if the user not register it should register first and verify email before starting to visit my web site. I am wanted to show all my routs to any one without login or without registration. And also i need to verify user email when they register. it showing the routs to only registered and login users, but I am wanted to show every one.
public function __construct()
{
$this->middleware(['auth' => 'verified']);
}
after verifying email it shows the routs.
if I comment this code it will work fine but also i need to verify email.
this depends on how protective are you with the data to be shown to the visitors.
one method you can try is to use no middleware for those routes you want all of the viewers to visit and use a simple if else condition to show the respective view:
public function __construct()
{
// no middleware
}
public funtion index() {
if(Auth::check()) {
return view('logged.blade.php'); // for logged in users
}
return view('general.blade.php'); // for all visitors
}
I need to manually login a user in Laravel 5.7 via Auth. Once I run Auth::loginUsingId($userId, true) I then relocate the user to his Account page.
The point of this is for a user coming through a token can be logged in into the website, without adding his credentials again.
I've tried anything I could find online, including moving the Session from MiddlewareGroup to Middleware, checking the Cookie name and some other things that didn't work.
My Controller looks something like this:
public function loginExternal(Request $request) {
$userId = $request->uid;
Auth::loginUsingId($userId, true);
redirect()->to('/account')->send();
}
and the route for it is pretty simple:
Route::get('/oneclick/{token}', 'Auth\AccountController#loginExternal')->middleware('signed')->name('oneclick');
I would expect the user to be logged in and taken to his account automatically. Now it just sends me to the login page.
What I noticed is that the loginUsingId() method generates a new session id only in this controller, but in other pages of the website, the website is using a different session, the same one (which should happen).
I need to mention that the user does get loggedin in the LoginExternal method. It just doesn't persist to the account page.
Any ideas?
In controller:
public function loginExternal($id) {
$user = User::find($id);
if($user){
\Auth::loginUsingId($id, true);
return redirect('/account');
} else {
return redirect('/')->with('error_message', 'No user found!');
}
}
In route file (web.php)
Route::get('/oneclick/{id}', 'Auth\AccountController#loginExternal')->name('oneclick');
In my laravel application i am trying to use the verification functionality for newly registered users.
The current functionality is when a user registers they are shown a page prompting them to check their email. The user clicks the link in the email to verify their email they are then redirected to /account which as an Auth protected route. However when the user then tries to navigate to another Authed route they are redirected to the login page!
From some research people are saying this is expected that the user would have to login in again but this is a terrible user experience to me.
I did try to modify the verify method in the VerificationController like this:
public function verify(Request $request)
{
$userId = $request->route('id');
$user = User::findOrFail($userId);
Auth::login($user);
if ($user->markEmailAsVerified()) {
event(new Verified($user));
}
return redirect($this->redirectPath());
}
No such luck!
Ideally i want the user to click the link in the email and they then remain logged in for their session.
Any help would be great!
I'm developing website with Laravel framework and Sentinel
I install Sentinel and it's work fine with login and user group data, but when i create my project i don't know how use it to differentiate user who has login as admin or not login.. i follow the indstruction code like this in controller:
public function dashboard()
{
$this->middleware('sentry.member:Admins');
return view('admin.dashboard');
}
But when i access the dashboard without login, it's still open dashboard.. how to fix it? how to redirect page to login if i'm not login yet?
In laravel to check a user while he is login or not login we do like this off-course this is works when we have installed sentry in laravel 5 framework.
public function dashboard(){
//already logged in go to dashboard or else login
if(Sentry::check()){
return Redirect::to('/admin.dashboard');
}else{
return Redirect::to('/login');
}
}