I am wondering how in laravel 4 the following is possible. I have a filter to check if a user is authenticate on all routes that have user/*. My filter works as it is suppose to but lets say that a user is logged in their url will look something like this user/id. How do I prevent an authenticated user from viewing another user?
another approach is to change your urls..
why have url like user/{id} ?
just change it to for example
user/profile
and inside the controller do something like:
$user = Auth::user();
that way the user just cant fake is id..
i only use urls with the id in the admin area where i need to edit some user:
/admin/{id}/edit
In your Auth filter you can access the route parameter ('user/{id}') and can check logged in user's id with the id passed in the url like
Route::filter('auth', function($route)
{
// get the id from rouqe
$id = $route->getParameter('id');
if( Auth::check() && Auth::user()->id != $id) {
// not authenticated user, so access is denied
return Redirect::to('/');
}
});
If it is a blanket policy that a user can only view their own profile then could you just check that the id from user/{id} route matches the current user id from the login session, eg. in the profile controller something like:
public function getProfile($profile_id) {
if (Auth::user()->id != $profile_id) {
//this is not your profile - don't be nosey!
} else {
//have you got nothing better to do than look at yourself all day!
}
}
Glen
Related
I need to manually login a user in Laravel 5.7 via Auth. Once I run Auth::loginUsingId($userId, true) I then relocate the user to his Account page.
The point of this is for a user coming through a token can be logged in into the website, without adding his credentials again.
I've tried anything I could find online, including moving the Session from MiddlewareGroup to Middleware, checking the Cookie name and some other things that didn't work.
My Controller looks something like this:
public function loginExternal(Request $request) {
$userId = $request->uid;
Auth::loginUsingId($userId, true);
redirect()->to('/account')->send();
}
and the route for it is pretty simple:
Route::get('/oneclick/{token}', 'Auth\AccountController#loginExternal')->middleware('signed')->name('oneclick');
I would expect the user to be logged in and taken to his account automatically. Now it just sends me to the login page.
What I noticed is that the loginUsingId() method generates a new session id only in this controller, but in other pages of the website, the website is using a different session, the same one (which should happen).
I need to mention that the user does get loggedin in the LoginExternal method. It just doesn't persist to the account page.
Any ideas?
In controller:
public function loginExternal($id) {
$user = User::find($id);
if($user){
\Auth::loginUsingId($id, true);
return redirect('/account');
} else {
return redirect('/')->with('error_message', 'No user found!');
}
}
In route file (web.php)
Route::get('/oneclick/{id}', 'Auth\AccountController#loginExternal')->name('oneclick');
I am currently in the process of trying to understand how Laravel functions. And my biggest question is the authentication process. Lets say i have an admin panel and a user panel. I have a column in the "users" table for "user_type" and 1 = normal user and 2 = admin user. When a user logs into the user login form laravel checks the users info and makes sure that the type is 1 for a normal user login. If it is, it sets a session. But how do i check if the user logged is a admin or normal user. Any help is appreciated greatly! :D
First in your web.php you can do this:
Route::post('/login', 'Auth\LoginController#determineLoginType')->middleware('guest');
And in your LoginController.php you can do something like this:
public function determineLoginType(Request $request)
{
/**
* Here I am assuming that the email field on your user model is unique,
* therefore I am retrieving that specific user by the email they provided
* at the login form
*/
$user = \App\User::where('email', $request->email)->first();
if ($user && $user->user_type == 2) { // Check if the user exists & check their type.
return redirect('/admin-dashboard'); // If they're an admin redirect them to the admin dashboard.
}
return redirect('/home');
// Otherwise proceed normally and redirect the user to the normal home or dashboard.
}
Of course you should extends this to include what if they user provided an invalid email, so you should redirect them back with the input and errors for example, hopefully this is similar to what you're looking for.
You can simply do:
if (auth()->user()->user_type == 2) {
// Do admin stuff
}
Otherwise you can add a function in your User.php
public function getIsAdminAttribute()
{
return $this->user_type == 2;
}
Then you can do the following:
if (auth()->user()->is_admin) {
// Do admin stuff
}
I am making a website which will have user login. Login form now leads to admin panel if your role is admin (route is behind admin middleware), and it leads back to home page if your role is user. Back on the home page you have the ability to see your profile page and add a product (which is behind auth middleware).
My question is what is the best approach to form my routes?
If I make site.com/user/{id} route, user ID's will be exposed to each user which logs in, as well as for example editing a product with site.com/user/{id}/product/{product_id}.
I see some security issues here and am wondering if a better solution is making site.com/profile route which will in turn in controller take Auth::user() not exposing ID's in the process?
Add your route without the ID and use Auth::user() It's best practice and makes your routes simpler
Public function profile(){
$user = Auth::user();
return view('profile', compact('user');
}
The above code is more straight forward than this:
Public function profile($id){
$user = User::find($id);
//prevent authenticated from viewing other users
if($user == Auth::user()){
return view('profile', compact('user');
}else{
//return something else
}
}
If you are worried about exposing user ID you can try use something like hashids, where ID will be encoded.
Here you go:
encode the id and product_id with base64_encode()
Example pass the id and product_id in url by encoding with base64_encode()
and when you want to use it use like this:
Route::get('user/{id}/product/{product_id}', function($code){
$id = base64_decode($id);
$product_id = base64_decode($product_id);
});
I have different type of users in my application. Ex: Super Admin, Client, Staff and HR.
Now I want to give all access to Super Admin and some for Client and some for Staff and some for HR also.
Lets say I have 3 section
a) Manage Staff
b) Manage Clients
c) Manage Projects
d) Manage Designation
Now I want to give access super admin a,b,c & d And for Client only C And For Staff Only c & d And for HR only a.
I have done it by checking the User type form my user table. (Not Right Way)
Lets Say I have a URL localhost/myApp/staff [ this can be access by Super Admin]
But when I logged in as Client and I hit the above URL then He/She is able to get the list of staffs, Which I want to restrict and redirect back him with some message.
How can I achive this in Laravel 5.4. Thanks in advance.
You need to use middleware for that.
See in the doc:
https://laravel.com/docs/5.4/middleware
A little example
public function handle($request, Closure $next)
{
$user = $request->user();
if ($user && $user->isAdmin())
{
return $next($request);
}
return new RedirectResponse(url('/home'));
}
}
With a middleware like that , if the user is Admin he can go on the page if not it will be redirect on the homepage.
The isAdmin is a function , you gonna need to create in your user Model like that.
public function isAdmin()
{
return $this->groups->name =='Admin';
}
In the function for the staff url check the type of user:
function staff(){
if(Auth::user ! = 'super-admin')
return redirect('/')
}
else{
//show the staff
}
You need check this page out Authenticate A User Instance.
Authenticate A User Instance
If you need to log an existing user instance into your application, you may call the login method with the user instance. The given object must be an implementation of the Illuminate\Contracts\Auth\Authenticatable contract.
Auth::login($user);
// Login and "remember" the given user...
Auth::login($user, true);`
Of course, you may specify the guard instance you would like to use:
Auth::guard('admin')->login($user);
You can follow the Laravel documentation or add a new field called 'role' or what ever to authenticate.
What would be the best way to work with sessions CodeIgniter to do the following ?
I have users with a role and a company that are stored in a database.
I want identify user role and company without do :
if($roles == 'Editor'):
// do something
endif;
In each controller or method.
Example :
If users is logged a function in header checks that and if not it redirects to the homepage.
Have you considered using an authentication library? Tank Auth is a good solution and if you need roles you can try the Tank Auth with Roles library.
Also, if you want to check if a user is logged in you can add the code to the constructor of your controller.
function __construct() {
// Check the user is logged in / roles / etc
if( ! $roles == 'Editor' ) { redirect('welcome'); }
}
Just add this code inside the class and it will run for any page within that controller.