Level 27
@johnw65 Create a middleware, that checks if the user has a certain role or not and add it to your routes.
https://laravel.com/docs/8.x/middleware#defining-middleware
https://laracasts.com/series/laravel-6-from-scratch/episodes/54
Feb 18, 2021
6
Level 4
Application Level Security
I'm relatively new to Laravel, and I have a following question.
Currently, different users have access to different applications. I know it's a relatively general question, but what is the best method to make sure that an user can only access their authorized application. I have seen codes where in the constructor method of a controller, they check to see whether an user has authorized access, but not sure whether that is the best approach.
I do have an user roles table which lists all of the applications that an user have access to and also whether it's read or read/write access.
Thanks in advance.
Level 4
CorvS: Thanks for the information. Makes sense!
Level 80
@johnw65 You should use policies to determine whether users can view particular resources.
Level 4
Martin,
Thanks, so instead of using middleware, I need to use authorization via policies.
So I can grab a list of application that an user has along with whether its' read access or write access from a user_role table.
So how can I create a policy to perform 3 functions?
- Access/Deny a particular application ( I will have many applications). If they accidently enter, route the user back to the main menu.
- If user has read/write access, enable update button (for example). For read access, disable update button.
- If possible, perform this once so I don't have to query the database each time.
Thanks!
Level 80
@johnw65 Policies have methods to determine whether a user can view, update, delete, etc a particular model: https://laravel.com/docs/8.x/authorization#writing-policies
So you can use a policy to first check if a user can actually view an application based on their role/assigned applications, and then use that policy in your Blade views to conditionally show things like edit buttons:
@can('update', $application)
<a href="{{ route('application.edit', compact('application')) }}">
{{ __('Edit') }}
</a>
@endcan
Level 4
Martin, Thanks! Let me read the documentation regarding policies.
Please or to participate in this conversation.