jfurnas's avatar

Access Denied handling

What is the best way to handle access denied/incorrect permissions to access a route/page? Should I make a custom access denied page, and redirect the user to there on failure, or can I redirect them back to the page they were previously on and flash an access denied message?

In my middleware, I attempted to use return redirect (url()->previous()) but it was creating a redirect loop for some reason, so I use $request->session()->flash('error','You do not have the correct privileges.'); and redirect back to /.

Ideally, i'd like them to go back to the page they were on before they accessed the page they couldn't view, but that redirect loop was bothering me and I couldn't seem to get around it, so if I can create my own abort('access denied'); call to take them to a custom access denied page, I would be for that, too.

0 likes
4 replies
click's avatar

I just show a 403 permission denied page with a manual link to go to the dashboard. The user than can manually press 'back' in it's browser.

But in the first place, you should prevent as much as possible that users end up at a 403 permission denied page. A normal browsable user should not be able to hit a 403 permission denied page.

Let's say a user is not allowed to delete blog posts. The user should not be allowed to hit the controller to delete the blog post. But he shouldn't see a 'delete post' button in your app in the first place.

jfurnas's avatar

The middleware blocks the actual action, but for a proper user experience there should still be an indication when an action isn't allowed, instead of just blindly redirecting somewhere.

Under normal circumstances, just hiding the buttons, links, URLs etc based on permission works, but that's not 100% fool proof. For example, bookmarks are still a thing and still used by many people, and if somebody has a specific page bookmarked and their permissions are changed later, clicking that bookmark and going to a page they aren't expecting is bad UX.

The same thing goes for hiding/showing buttons based on the users permissions. If when they load the page, their permissions are elevated and an administrator just so happens to change their permissions before they take an action, the button/URL is still visible, but when they click it they are currently blindly redirected. That again is bad UX.

The proper way to handle it would be to create a 403 exception and pass it as a response , as well as display an access denied error/page. I guess I will have to look at how to create custom exceptions and to pass those exceptions when a user fails permissions/roles checks.

jfurnas's avatar

Hmm, I found a solution that seems to work:

return response(view('errors.403'),403);
click's avatar

What do you want to achieve? Show a custom 403 error page? This is already available out of the box.

See Custom HTTP Error Pages https://laravel.com/docs/5.6/errors#http-exceptions

And if you create your own exceptions you can easily create a view per exception explained also in the docs. See Reportable & Renderable Exceptions on the same page of the docs.

Please or to participate in this conversation.