So I'm new to Laravel and trying to make a permissions system for the users on my application. Here is my approach:
1) Place a column in users table with the name 'permissions'
2) Create a table of permissions with columns id and page-name
Here's how it will work:
Each page will be assigned an ID. For example, the page Manage Accounts has id 1 and the page Manage Customers has the id 2 in the permissions table.
In order to give user full access to Manage Accounts and view only access to Manage Customers, I will make the following entry in the permissions column for the user 1.1111,2.1000
Now when the user will land on the Manage Accounts page, I will get the page id for the current page from the permissions table, i.e. 1. I will then convert the string value from the users.permissions column in the following format: array('1' => '1111', '2' => '1000');. Now I can get the user permissions saved against the ID of the page by $permissions['1'];.
I will then have a function to parse the 4 digits and get boolean values for the following in the exact order:
$canView = true;
$canAdd = true;
$canEdit = true;
$canDelete = true;
Now inside my page, I can easily put checks and display items accordingly.
Questions
1) So first question. Is this a good approach? Or are there better ways for going about this? I like this approach because I only have to add one more table in the database and it will only have as many entries as there are pages on my application, which aren't many. And it also means that I will only have to access the database once and I can then keep on using the values in the variable.
2) Should I create a separate class for permissions? I'm new so I don't completely understand the Eloquent class. But is that something I should be using for this? Or should I just add the functions that I need to create to the users class?
3) Where should I store the values of $canView, $CanEdit etc. Should I place them in the class for permissions and create an object for it? Or should I just use the Users class and access them using Auth::? I do not want to use Session, I don't think it to be safe.
4) Can I somehow have the permissions autoload every time a page is opened? I was looking into beforeFilter, and thinking of creating adding it to the constructor of each controller. Is that a good idea?
Thank you so much for your time and help.
Cheers
Why reinventing the wheel? take a look to https://github.com/Zizaco/entrust
Related
I want to make middleware for my app to do this logic for me:
Allow registered user access the panel for 60 days (based on created_at column of users table)
Then forbid user to access the panel unless admin gives the access to user (this access will be recognized by second table were user_id will be defined)
What do I need?
I don't need you to give me codes (unless you want to show sample) but the main thing that I'm asking here is your ideas and solutions.
What do you think of this logic? or if you have any better idea? etc.
is using middleware the good way to achieve this or not?
For my little idea I think you can use midleware and it's the best way until someone offers something that I didn't know (I don't know much). midleware retrieves the user who issued the request and first checks whether he is eligible for the trial period based on his registration date. if not, he checks in the second table if the admin has given him access.
I like the idea but I think you could solve your problem with a column on the users table named something like 'access' which would be a boolean value. This value would be true when users register and allow the user to view the panel if the column is true.
Then after 60 days has passed from the created_at column change the 'access' column to false. You could check the created_at column in a scheduled command or job that runs each night and will change the column too false for users that have passed the 60 days limit.
Then in an admin UI or admin command you could just simply change the 'access' column back to true for certain users.
I've got a method that deletes a user from a company and would like to do a check to make sure the company will still have a admin left within it.
I'm using the method below, and the snippet is not working when adding a third parameter. How can I pass more than one variable to it?
$this->authorize('companyHasAdminAfterDelete', $privilege->company, $user );
Can you just perform a simple check before deleting the user to check how many people with admin role are left?
If there's only one before delete then you know that probably he should not be deleted etc.
I find several partial solutions in answers on this question, but common answer seems to be absent.
So, I have a table users with columns user_id, user_name. On each static page of website I want to display all user names of users who currently view this page.
Should I have a table views with columns user_id, webpage_link?
If yes, when I shall update data in column webpage_link? How to connect code from following answer with mysql database Is there a way to detect if a browser window is not currently active? ? (If it is ok for this purpose.)
To make updates very often is not very good. So, the user can view several pages (for example, in 2 or more tabs). What type of webpage_link column shall be in this case?
With every http request, you get a $path variable. if you also have a logged in user, you can store which page this user requested last (e.g. in a table like you described, but only storing the relative path).
You update this information on a per-request-basis in some sort of front-controller. (just make sure you put it where it is called for every authenticated page). When the users session times out, you remove the row of that user from the table.
this case is a little more difficult. you could store the last n pages/paths the user has requested and leave the rest as above. You don't have to change the table structure for that, just allow for multiple rows per user. (the combination user_id+path should be unique, though)
Hope that helps to get you started
I'm creating a website in which users can create some profiles.
All profiles must be open for viewing only to users that the creator has chosen. The others won't be seeing them.
Using angular, you can easily create pages using routes, so of each new page you will have something like:
www.example.com/profiles/profile/1
www.example.com/profiles/profile/2
www.example.com/profiles/profile/3
etc.
But, say, you own profile 1,2,3 you can easily view profile/4, profile/5 etc...
How can you implement a system that prohibits viewing, or allows to see less data than the access-granded users?
Thank you.
As told, the answer should be server side. authentications should always be server side..
In your case, you need to query the database only once like you have done so far, actually the correct term will be just sending a http request to your api (as the http requests is doing the db queries). that http request should start by checking what kind of permissions you got and return the appropriate data (limited list of users, a specific user or an error that you don't have access to that specific content).
I hope it makes sense to you.
If using a database you can add a column AccessRights
0 = Basic
1 = Profile 1
2 = profile 1/2
etc
Different integers of AccessRights will let you access different things.
and to stop people with access rights 1 from accessing accessrights 3 material
if ($Accessrights < 3)
{
die("You Cannot View This");
}
it will be up to you to assign a variable for $Accessrights or something.
Hopefully this is something your looking for
So do I have to query the database on each page a user visits? Wouldn't that be too resourceful?
The access system that I want to create is something in the same vein as facebook.
You can see your pages and your friends pages, but you cannot see the private pages.
You can edit your profile, but not othe peoples profile.
Is this the right way to go?
You could check if the user is viewing his own record or if he is allowed to view any record
$iUserType = USER_TYPE_ADMIN; // constant
$iUserId = 5; // this and user type can be stored in session after login
$iViewProfileId = 5; // this should come from the request parameters
if (($iViewProfileId != $iUserId) AND (USER_TYPE_ADMIN != $iUserType)) {
// error, user is not permitted to view the record
}
I'm pretty new to using CakePHP but I'm already finding incredibly useful for rapidly developing web apps.
However, I was wondering if there is a way to restrict access to certain objects in a non-standard way. For example, if I was to create a single CMS system allows users to create a "site", how can I assert that the users (multiples) have access to that particular site?
I could check this in my site controller but would I need to check this for every single controller on my site - for example, I would need to check that the current Page, News, Contacts, Files etc being edited belongs to the site ID and the user has access to edit it?
ie, thecms.com/pages/edit/123 (how can I be sure user 9 can edit page 123 which belongs to site 2)
I'm assuming this is outside of what ACL can offer as they're entity specific. Is there any easy way to do this?
I assume that you already know about CakePHP's Auth and ACL component, which can provide ways for restricting content. But it's also true what you say: that CakePHP's ACL is 'entity-specific' and not the best option for a 'per-record' basis (e.g. user 3 shouldn't access article 7). So I propose this code; try it and let me know:
Within the app/app_controller.php file:
<?php
class AppController extends Controller {
function checkPermission($aro, $aco, $loggedUserRole = 'User') {
if ($loggedUserRole != 'Admin') {
$permission = ($aro == $aco);
if (!$permission) {
$this->Session->setFlash('You cannot access that.');
$this->redirect('/somewhere');
}
}
}
}
Then, within the action that you want to restrict, put:
$this->checkPermission($this->Auth->user('id'), $someId, $this->Auth->user('role'));
So, the checkPermission() function does the following:
When called, you pass an id for the user you want to authorize, an id of the thing the user is trying to access, and also a role (so it is assumed that there is a column of 'Role' within the users table; also, $this->Auth->user('id') means the user session data automatically stored by the Auth component). The checkPermission() method then checks if the passed role is not an admin (supposing there will be admins who will have access to all), and then checks equality of both the $aro and $aco parameters. If not, then it redirects somewhere with a message of 'forbidden'.
Now, the $aco parameter can be a variety of things. For example, suppose you are making a function for editing a user's account, which takes an argument of $userId. So you compare the logged-in user's id (from $this->Auth->user('id')) with the passed $userId. If not equal, it means the logged-in user should not be editing that user record.
Another example:
You have an action for deleting an article, which accepts an $articleId argument. You can fetch the article from the database and then pass the article's user_id value as the $aco, before deleting the article. Again, the logged-in user would be kicked out if such user_id is not him.
I hope this solution serves you well.