Cerbix

Member Since 2 Years Ago

Experience Points
930
Total
Experience

4,070 experience to go until the next level!

In case you were wondering, you earn Laracasts experience when you:

  • Complete a lesson — 100pts
  • Create a forum thread — 50pts
  • Reply to a thread — 10pts
  • Leave a reply that is liked — 50pts
  • Receive a "Best Reply" award — 500pts
Lessons Completed
4
Lessons
Completed
Best Reply Awards
0
Best Reply
Awards
  • start your engines Created with Sketch.

    Start Your Engines

    Earned once you have completed your first Laracasts lesson.

  • first-thousand Created with Sketch.

    First Thousand

    Earned once you have earned your first 1000 experience points.

  • 1-year Created with Sketch.

    One Year Member

    Earned when you have been with Laracasts for 1 year.

  • 2-years Created with Sketch.

    Two Year Member

    Earned when you have been with Laracasts for 2 years.

  • 3-years Created with Sketch.

    Three Year Member

    Earned when you have been with Laracasts for 3 years.

  • 4-years Created with Sketch.

    Four Year Member

    Earned when you have been with Laracasts for 4 years.

  • 5-years Created with Sketch.

    Five Year Member

    Earned when you have been with Laracasts for 5 years.

  • school-in-session Created with Sketch.

    School In Session

    Earned when at least one Laracasts series has been fully completed.

  • welcome-newcomer Created with Sketch.

    Welcome To The Community

    Earned after your first post on the Laracasts forum.

  • full-time-student Created with Sketch.

    Full Time Learner

    Earned once 100 Laracasts lessons have been completed.

  • pay-it-forward Created with Sketch.

    Pay It Forward

    Earned once you receive your first "Best Reply" award on the Laracasts forum.

  • subscriber Created with Sketch.

    Subscriber

    Earned if you are a paying Laracasts subscriber.

  • lifer Created with Sketch.

    Lifer

    Earned if you have a lifetime subscription to Laracasts.

  • evangelist Created with Sketch.

    Laracasts Evangelist

    Earned if you share a link to Laracasts on social media. Please email [email protected] with your username and post URL to be awarded this badge.

  • chatty-cathy Created with Sketch.

    Chatty Cathy

    Earned once you have achieved 500 forum replies.

  • lara-veteran Created with Sketch.

    Laracasts Veteran

    Earned once your experience points passes 100,000.

  • 10k-strong Created with Sketch.

    Ten Thousand Strong

    Earned once your experience points hits 10,000.

  • lara-master Created with Sketch.

    Laracasts Master

    Earned once 1000 Laracasts lessons have been completed.

  • laracasts-tutor Created with Sketch.

    Laracasts Tutor

    Earned once your "Best Reply" award count is 100 or more.

  • laracasts-sensei Created with Sketch.

    Laracasts Sensei

    Earned once your experience points passes 1 million.

  • top-50 Created with Sketch.

    Top 50

    Earned once your experience points ranks in the top 50 of all Laracasts users.

  • Community Pillar

    Earned once your experience points ranks in the top 10 of all Laracasts users.

Level 1
930 XP
Dec
14
2 months ago
Activity icon

Started a new Conversation Laravel Passport Limit A Users Access To Own Content.

So I searched around and couldn't find any questions/answers that fit my specific use case.

I have a resource controller, we'll call it SettingsController. This controller is designed to allow a client to go into our dashboard and adjust all their settings with the "Store" and "Edit" Function inside the controller.

Then it is output as an json API resource collection through the "Show" Function.

I installed Laravel Passport, and put the auth api middleware into the SettingsController.

$this->middleware('auth:api', ['only' => ['show']]);

Now the client would generate an access token in our dashboard, and put it into our remote app installed on their website. Then that remote app would be able to make calls to the Settings API to get the needed information for that clients setup.

This works all fine and dandy with the exception of one issue. And that is that any client can use his access token to access any other clients settings/details. IE: Client #1 can view Client #2, #3, #4, (and so on) settings/details using their own access token. (and vice versa)

All they have to do is change the URL link from /api/{client_id #1} to api/{client_id #2}, and their access token works for them all. As one could imagine, being able to see other peoples details, could lead to leaks of said details.

So my question is, is it possible to limit a Clients Access Token to only view content that belongs to the same user_id as the access token creator? Making it so if Client #2 tries to access Client #1's Settings with their own access token, they would get an unauthorized response.

I was thinking maybe this could be done using a scope, but not sure.

Thanks for your help.

Sep
13
5 months ago
Activity icon

Replied to Single Admin Registration With Laravel:auth

After doing more research on the forums, I didn't find exactly what I needed. But I think I came up with a reasonable way to get around this without being too much work, or posing much of a security risk.

So I just created a new middleware.

MaxAdmins.php middleware:

    public function handle($request, Closure $next)
    {
        $users = User::count();

        if ($users > 0){

            return redirect('/')->with('alert', 'Maximum quantity of Admins already registered!');
            
        }


        return $next($request);
    }

Assigned it. Kernel.php

    protected $routeMiddleware = [
        'maxadmin' => \App\Http\Middleware\MaxAdmins::class,
    ];

Then in the routes file, I extracted out the POST request for register and attached that newly created middleware.

web.php file:

Auth::routes();
Route::post('register', 'Auth\[email protected]')->middleware('maxadmin');

Now they can still view the registration form, but when they try to submit the form it will pass through the middleware, if the current users exceeds 0, it will fail and redirect the users back to the home page with an error saying the maximum amount of admins has already been achieved.

Since it instantly redirects away from the register POST before it accesses the controller and enters details into the database, I can't see any reason why this would potentially cause any security risks?

I may also add an environmental variable that allows them to increase the number of admins that can register as well.

Activity icon

Replied to Single Admin Registration With Laravel:auth

I thought about seeding it automatically during deployment. But the issues I foresaw was:

#1: This is an open source project, so I can't predict any aspect of a users desired login/email.

#2: Being open source if they don't change away from the default login details, it's open potentially from any attacker that finds the source and therefore the defaults.

#3: Having the most novice of users find and fill in their desired details into a seeder on a command line isn't very intuitive, and would require more work on educating them how to do it in the long run.

Sep
12
5 months ago
Activity icon

Started a new Conversation Single Admin Registration With Laravel:auth

So I'm working on a small project for a dashboard that connects to a users personal site via a plugin, it just collects some details, and saves it all in the dashboard for that admin to view later.

Now for this I need just a single user registration. (Only the 1 admin, nobody else will ever register/login.)

I found I could easily use the built in Laravel Auth package for this. And then once the admin registers, just use this inside the web.php file:

Auth::routes(['register' => false]);

And that would disable all registration forms for anyone else that tries accessing the site later. But making the admin go into the files and change that value from "true" to "false" after he creates his account can cause unnecessary complication, and if they forget to do it, it could easily allow other users to register and view these collected details. (which the admin would not want.)

So I was trying to think of a way to make it automatically disable registration after one user makes an account. Something like this:

if ($users >= 1) {
Auth::routes(['register' => false]);
} else {
Auth::routes(['register' => true]);
}

But would it be okay to pull the users model into the web.php, and use it to count the amount of users in the database to accomplish this 1 admin registration max rule?

Or would this be considered very messy? And there's a better alternative one could suggest?

Thanks for your time.