Hello,
I'm using policies to handle authorizations.
If a user is not authorized to trigger an action (for example edit, update, delete, ...), I want to render the exception (no problem for this point).
But if a user is trying to access manually a route (just by typing the route in the browser, for example to access some specific page), I want to capture the 403 exception and redirect to the dashboard.
I need help for this redirection.
Any idea ?
Thanks ;).
V
In bootstrap/app.php:
use Illuminate\Auth\Access\AuthorizationException;
// ...
->withExceptions(function (Exceptions $exceptions) {
$exceptions->render(function (AuthorizationException $e, Request $request) {
return response()->view('dashboard');
// Or:
return to_route('dashboard');
});
})
@Glukinho I already tried this and it doesn't work.
@vincent15000 you shouldn't have to do anything except design the 403 error page the way you want it to look.
That way the user sees a problem happened. Then have a link they can click to go where ever.
For example a link back to the home page, or login page, etc.
The 403 out of box is:
@extends('errors::minimal')
@section('title', __('Forbidden'))
@section('code', '403')
@section('message', __($exception->getMessage() ?: 'Forbidden'))
But you can modify as needed.
Also you can play with and tweak by using:
abort(403);
But you should rarely have errors. Maybe a incorrect login, but if an app is debugged well it should be virtually error free.
When you believe you have debugged enough, well debug again.
@jlrdw Ok ... Here is why I want to do that ... but perhaps you will say to me that it's not useful to do that.
If a user types an existing route directly in the browser, but he isn't authorized to access this route, rather than displaying an error page saying You aren't authorized to access this page, redirecting to the dashboard page would hide the route, exactly as if the route didn't exist.
If a user types an existing route directly in the browser
Then it can only be a GET request.
Therefore only affecting the show route. I would handle this directly in the controller.
@vincent15000 If a user types an existing route directly in the browser, you use both authentication and authorization to verify the user is authorized.
Say my id is 251. Another user tries to put in my id or some other.
In a query you need to make sure that the Auth::id() is used, so the other user cannot see or edit my data.
I would use URL data sparingly. But data is protected by the way queries are written.
An example portion of a query:
$userid = Auth::user()->id;
$query->where('ownerid', '=', $userid); // authenticated user check
Now if someone has entered another id or wrong id, then an error would be thrown.
If someone did do this, well they are probably trying to hack.
Edit:
Of course I wouldn't worry about it if just browsing products. For example you can browse Amazon without a login, but to buy you login.
Edit 2:
Notice the URL on laracasts https://laracasts.com/discuss?filter_by=contributed_to
Really nothing to change, but I am sure the auth id is used for a query.
@jlrdw I don't know why I really wanted to do that, but you're right, there is no reason to do something so complex, just design the 403 error page is sufficient.
Please or to participate in this conversation.