For some reason I have had a mind block and can't figure out what is probably a very simple fix.
I have a Laravel 5 App and am using Zizaco's Entrust package for Access Control.
I want to protect a route so am using route Protection in routes.php as follows:
Entrust::routeNeedsRole('passtypes', array('admin'), null, false);
Which works as expected, apart from when a user's session has expired or they are not logged in and try to access the route.
In this case I would want Laravel's Authentication to be checked first, and redirect to the login page; however Entrust redirects to the 403 error first; which is confusing for a user that has ability to view that page, but is told they do not have access, rather than that they are not logged in/session has expired.
I initiate the Authentication in the Controller rather than in the route:
public function __construct()
{
$this->middleware('auth');
}
So just need to know how to get the same functionality, but by having auth get checked before the route permission requirement.
Thanks
I think that Entrust::routeNeedsRole fires before controller. Can you move Entrust to middleware? You could then check in middleware if user is logged in and then check if he has required role.
It's been a while, but I had a similar problem. The only difference, my entire app had to be protected. I ended up modifying Authenticate Middleware handle method:
public function handle($request, Closure $next)
{
if ($this->auth->guest()) {
if ($request->ajax()) {
return response('Unauthorized.', 401);
} else {
/**
* This is to protect the entire app, except login form,
* to avoid loop
*/
if($request->path() != 'auth/login')
return redirect()->guest('auth/login');
}
}
return $next($request);
}
And inside Kernel.php moved Authenticate from $routeMiddleware to $middleware
Then you can protect your routes with Entrust.
Related
I'm really new to laravel and have been reading the documentations and tutorials. I'm planning on making an app that has 2 roles, admin and user. I modified my User model to have the column 'isAdmin' with boolean value since I only need 2 roles. How do I perform a check on this attribute during auth? Thank you.
TO answer your question, first of all to make protect any route using the auth middleware which ensures a user is authenticated (logged in) before they can access the route, you simply need to add the auth middleware.
e.g
web.php
<?php
Route::middleware('auth')->group(function(){
//All Routes which needs user to be logged in
});
or
//Individiual Route Middleware
Route::get('/path/to', 'controller#instance')->middleware('auth');
As for checking user role, you can basically create a middleware for this using the following steps:
run your php artisan make:middleware IsAdminMiddleware
open your IsAdminMiddleware and add this code inside the handle function:
public function handle($request, Closure $next)
{
if(!Auth::check()){
return redirect()->route('login');
}
if(Auth::user()->isAdmin == true){
return $next($request);
}
return redirect()->back()->with('unauthorised', 'You are
unauthorised to access this page');
}
it should forbid that the user grabs this url:
?main_title=banner
?main_title=law
?main_title=faq
with this
if(\Auth::user()->hasRole(['super_admin']))
I am going to assume that you are using spatie/laravel-permission based on your example code.
Laravel Permission comes with built-in role middlewares
One of the ways you could use them is by grouping the routes you want to be accessible only by super admins
Route::group(['middleware' => ['role:super_admin']], function () {
// YOUR ROUTES HERE
});
It's always good to using the middlewares ,
So in your case first create a Trait for roles
public function isSuperadmin(){
return Auth::user()->role->role=='superadmin';
}
After that create a middlewar like superadmin for the superuser and in that first include your trait
use App\Traits\Roles;
after that
use Roles;
public function handle($request, Closure $next)
{
if(!$this->isSuperadmin())
{
return back();
}
return $next($request);
}
and just register the middleware in the app/http/kernal.php in protected $routeMiddleware function
'superadmin' => \App\Http\Middleware\superadmin::class,
so it's make your life very easy now you don't need to check the url or role every time , for any url you want to block for other users just use
Route::get('/?main_title=law', 'HomeController#function')->middleware('superadmin')->name('admin-dashboard-home');
so if the user role is superadmin then he is allow to assess the url you can redirect the other users or show the error message :)
I'm working on a laravel 5.1 application and I want to check if a user session has expired after each request, in order to redirect the user to the login page.
in order to do so I have created a middleware that runs on every request, the handle function looks like this
public function handle($request, Closure $next)
{
if(session_status() === PHP_SESSION_NONE)
{
return redirect()->guest('login');
}
return $next($request);
}
this does not seem to work correctly, because when I type 'localhost:8000' in google chrome it says 'localhost redirected you too many times', I guess it is because the session have not been started since the user is not logged in, so... is there any better way to do this checking?
You can disable middleware in certain routes. by adding the login route to the excepted_urls array. For example, add the following at the beginning of the class:
protected $except_urls = [
'login'
];
or you can disable it in your web.php/routes.php depending of the version of Laravel you're using by employing route grouping
I'm writing a server based solution. In database there are many users with different permissions and I have to check if they have permission to access module they are trying to.
In every Controller I have included something like:
protected $module = "moduleName";
I tried to solve it like:
function __construct()
{
$perm = session()->get('perm');
if (!isset($perm[$this->module]) || !$perm[$this->module]) {
Session::flash('message_error', "<span class='glyphicon glyphicon-warning-sign'></span> Access denined!");
return back();
}
}
It shows the message but it still displays the page not redirects back.
As you see I'm reading permissions from session and modules name is saved in controller so I don't think this could be solved by middleware unless I'm making middleware for each module (I'm talking about 30 modules).
Thanks for taking the time to read this
Middleware actually solved this.
Route:
Route::group(['middleware' => 'module:moduleName'], function () {
// Routes...
});
Custom middleware:
public function handle($request, Closure $next, $module)
{
$perm = session()->get('perm');
if (!isset($perm[$module]) || !$perm[$module]) {
Session::flash('message_error', "<span class='glyphicon glyphicon-warning-sign'></span> Access denined!");
return redirect()->back();
}
return $next($request);
}
Also I'll mention that Route groups can be nested. So you can wrap multiple groups with something like auth middleware as well
There is a very easy fix to your code, you forgot the define the redirect, so instead of using
return back();
use
return redirect()->back();
This will do the redirect.
There is also a mistake in your reasoning, you could and probably should use middleware.
Middleware does have access to the user, session and can be passed parameters. These are the necessary requirements for your system.
You can also assign middleware on a controller basis.
I am on page : http://laravel.dev/lists
which shows me list of item
Item 1
Item 1
Item 1
but above item can only accessible to authorized user
Issue
when i click on Item 1 so if user is not logged in then it goes to http://laravel.dev/login then user proceed to login but after login it must redirect to http://laravel.dev/lists/1 but it is redirecting to http://laravel.dev/home.
I have tried
public function showLoginForm()
{
session()->put('url.intended',url()->previous());
// or
session()->put('url.intended', url()->current());
return view('user.auth.login');
}
but above is not working, it is redirecting to http://laravel.dev/lists
laravel own auth is working fine.
but hesto multi-auth is not working
I am using this Hesto-multi-auth package for multiple authentication like admin, user, employee
is there any solution for this
If you're using the default user Authentication system in Laravel, and if you added auth middleware in your routes, it's automatically done by Laravel.
In your routes:
Route::group(['middleware' => 'auth'], function() {
. . . Your Routes goes Here
});
You can take a look at the docs https://laravel.com/docs/5.4/authentication#protecting-routes
You can use middleware. For example :
Route::get('lists/{id}', function () {
//
})->middleware('auth');
Please refer here : https://laravel.com/docs/5.5/middleware for more information
First of all find the place where you redirect unauthenticated user to the login page (probably in app/Exceptions/Handler.php function unauthenticated) and save to the session current url ("/lists/1") before redirect.
Afrer that add in your Auth controller property $redirectTo and fill it from the session or define method redirectTo (method also nust return url).
Out of the box laravel redirects to /home because of trait /Illuminate/Foundation/Auth/RedirectsUsers.
You can try this idea: After you've successfully logged in, you'll be redirected to the page you want (e.g. http://laravel.dev/lists/1)
Auth::attempt(...);
return redirect()->route('the name of your route here where redirected to http://laravel.dev/lists/1');
What you had tried in the showLoginForm() won't be work, because neither url()->previous() nor url()->current() you specified were not the url you want.
Solution:
Changed in the middleware:
public function handle($request, Closure $next, $guard = 'user')
{
if (!Auth::guard($guard)->check()) {
session()->put('url.intended', \URL::current()); // Add this line
return redirect('user/login');
}
return $next($request);
}