I'm coding a app for car selling, i'm stucked with auth component.
I have 3 kind of access:
admin: app owner
dealers: the owners of car dealers
user: people who whach car offers and make questions etc
i'm not working with roles, ech one (admin, dealer and users) has an username and password from diferent models, so i'm very lost.
i'm not asking for codes, i just wanna a good explanation about how can i deal with auth assuming this scenario.
Well it's just a matter of allowing/denying access for a certain user. If you can recognize the users model in controllers beforeFilter method, you can allow/deny access accordingly with $this->Auth->allow() or $this->Auth->deny() (in beforeFilter method). So maybe you can put some pseudo-role in the session after the login if you don't wish to have it in the db table. You can then put Auths allow/deny in conditions on the pseudo-role stored in Session.
Or have I misunderstood the question?
UPDATE
I just realized that you are probably refering to actual login. Changing the default Model is documented in CookBook. See userModel configuration key. Keep in mind that you are supposed to change this in beforeFilter method.
Related
I have a project which includes admin and user section. Both section use the same controllers, just different functions and templates (ex: viewAdmin() and viewUser()). In function beforeRender() of every controllers, I set variable $admin as true for admin functions and false for user functions.
For authentication, I use Shibboleth. Shibboleth uses data from LDAP, while user types were saved in SQL-Database, that means while it can check if the login and password are false, it can't check if the user is admin or not. An user can go to ADMIN section as long as they use the right action (ex: go to the link http://example.com/tool/viewAdmin).
To prevent this, I will have to:
Load model Users
Compare the environment variable uid (login name) with the "login" columns in Users table in my SQL-Database
See the "type" column in Users table to know if user is admin or not.
Compare the result with value of $admin and redirect to an error page when necessary.
The problem is: I don't want to repeat those steps for EVERY controllers.
Currently I have 2 ideas:
Write a function in UsersController, and use it in every controllers.
Create a component and load it in every controllers.
Both methods require me changing code in all controllers. I would like to hear a better way with less work, perhaps by changing app.php or bootstrap.php.
Any suggestion is appreciated.
To share methods in CakePHP controllers you can do:
Create component and include in controller
Or create method in AppController and use it in child controllers
Or PHP way create Trait.
But when you authorize users, then all user data is stored in session, incl. is user roles (example admin, regular, member,.. )
Use the official CakePHP authentication plugin and extend the LDAP adapter with the additional code check you need. This is very easy to do and also a very clean way of solving the problem. Disclaimer: I'm one of the authors of the authentication plugin. https://github.com/cakephp/authentication
Or if you want to stay agnostic to any framework, use my library that is based on the authentication plugin and was decoupled from any framework but still works just nice with Cake https://github.com/Phauthentic/authentication.
I am quite new to Laravel, but get most of the basics by now.
Currently, I build an application, where multiple companies each get an account that represents their main user, let's call him CompanyAdmin.
This user is allowed to create new users for this company and able to view all quotes from the company.
The newly created users, call them CompanyEmployee, can not create new users and only view the quotes they created themselves, as well as creating new quotes.
Now there is of course one SuperAdmin, which sits on the other side of the table. He views all quotes from all companies, is able to do create users as he pleases and can accept/edit quotes.
My current approach to do this would be to attach a user_id to all quotes and attach the users to a company, as well as giving them a role.
All the logic would take place in the controller, where I would check the role of the user and therefore read/save only the quotes, the user is able to edit.
However, it feels very dirty to do so and sounds like a lot of effort to maintain. If you would e.g. make another role for an employee of the SuperAdmin, you would need to change every controller.
I could not find a way to define the access rights per role per model, so when I call Quotes::all() it only retrieves the legal ones (same goes for saving of course).
Please guide me to a Laravel feature (or even package, but I have not used one before) that helps me get things done.
Looking forward to possible solutions that lead to low maintainance.
Best regards!
For authenticating different types of users and protecting group of routes that particular type can access you can use guards, for authorizing CRUD actions you can use FormRequest, I think you have everything you need under these 2 links, ofcourse you will need to read up on these, this is a good starting point. As for tables, you can have these:
users, roles, companies, user_role, user_company
And models:
User, Role, Company
from the doc
In addition to providing authentication services out of the box,
Laravel also provides a simple way to authorize user actions against a
given resource. Like authentication, Laravel's approach to
authorization is simple, and there are two primary ways of authorizing
actions: gates and policies.
Laravel has 2 concepts called Gates and Policies which we can inject it on models,(specially Gates), So when ever the queries are called upon the Model, the Gates make sure that the user has appropriate permissions.
You can read more here
I have got a web project which has 3 types of users, say root admin, a super admin and kitchen admin. Each user or role has different functionalities: root admin will create super admin and other small functionalities, same way super admin would be creating kitchen admin and other functionalities and kitchen admin has its own functionalities say handling orders.
I wanted to know whether would it be a good idea to make separate laravel setup for each users or all these users can be developed in one laravel setup?
A small lead on this would be a great help since I am new at laravel.
You could make separate setups for each users. That would work. But would also be difficult to maintain and you might have to write some functions 3 times (login, logout, CRUD, etc.).
However, you could create a single project using Authorizations. Out of the box, Laravel gives you an easy way to authorize and restrict some actions via Gate or restrict models via Policy. You could also restrict URLs via Middleware. See you have 3 different ways of restricting actions.
My personal preference is Policy because it's bound to the model. You have a list of permissions and give each role their permissions, eg.: 'create_sys_admin'. Then link this permission to the 'root_admin' role. so in your policy you can write:
public function createSysAdmin(User $user) {
return $user->role->permissions->contains('create_sys_admin');
}
With the policy defined, we can check for propser permission in the controller. In any function in your controller you can always check for proper permissions
if ( Auth::user()->cant('create_sys_admin', User::class) ) {
return redirect()->back()->withErrors(['authorization' => 'You are not authorized to perform that action']);
}
That was just one way. As I previously said, you have Gates and Middlewares as well. Read more here: https://laravel.com/docs/5.4/authorization
If you want something already made, you can use this package: https://github.com/Zizaco/entrust.
I have only just started using CakePHP (v2.4.1). I did a fresh install, then I created my database structure and did a cake bake to create all modules, controllers and views. Great! I have also created a login using the Auth component.
I have a users and user_types table along with a user_types_views and a views table as part of the database structure and I want to be able to give access to particular views at usertype level. So I need to reference the database to see if there are any user_types_views records for the usertype logged in, and set the access to authorised for each of these views.
Is this the best way to do it? and are there any hidden little gems in CakePHP which may speed up the process(like the 'cake bake' options).
the CRUD permission setup would do this for you. you'd have to set all the $permKeys to 1 or -1 for access or deny at each function(view) level.
remember to use Crud as the authorize option in the auth properties.
I want to provide specified actions for different role in Symfony 1.4 project.
Project contains several database tables which values can be modified only by certain roles.
For example, an administrator gains access to CRUDs for all models.
Another role (let it be a consultant) can only retrieve (not modify or remove) results from specified models (not all).
How can I support such a feature in symfony?
I assume that roles for the project will be specified in advance.
One solution I was thinking about is creating modules and actions for each role separately (crud panels + one logging interface), but it sounds like a huge job.
Just wondering what the smarter way is.
I think the best way to achieve that is definitively credentials (it is for sf1.2 but ok for 1.4).
I recommend you to use sfGuardDoctrine to use some groups with associated permissions (which are credentials). You define a group admin, consultant, etc .. You associate some credentials, like modifiy, remove, create, edit, etc ..
And then, every time a user will log in, it will automatically have defined credentials (associated to him or by his group).
After, you have to check for every action if the user has can perform it:
if($this->getUser()->hasCredential('modify'))
{
// authorized action
}
Here is some more documentation for sfGuard (related to sf1.0 but it is good to understand how it works).