Level 75
Many past answers on this.
site:laracasts.com your search sentence
Also
May 24, 2019
6
Level 1
Security in controller
I have noticed that each controller has a construct method. I have separated my code functionality into individual controllers (e.g. run admin functionality, run query functionality). i would like to restrict access to the controllers for each role of the user. i can easily check to see if the user is part of the roll via a db call. can i do the check in the construct of the controller, or is there a better place to do this?
Level 47
For my projects I prefer to either use route middleware or policies for access control to the system.
Level 1
Hi,
I added another middleware (rolecheck) call in the contructor.
e.g. $this->middleware('auth'); $this->middleware('rolecheck');
with this in the rolecheck middleware i can access the auth()->id())
now, is there a way i can pass in a parameter to the rollcheck?
Ideally for the widgets controller, i would like to pass a string parameter of "widgets" to it. Seems i can access the $request in the middleware. Can i assign something to the request, or directly pass in a string variable? My code is in public function handle($reuqest, Closure $next)
Level 1
I think i have it. Change the controller to
$this->middleware('auth'); $this->middleware('role:widgets');
then in the role middleware change the handle to
public function handle($request, Closure $next, $role)
Now i can access the "widgets" value from the $role variable.
Jeremy
Level 75
You said you want to restrict access to the controllers for different uses.
It is better if you use routing along with query scopes to fine-tune who can see what.
Example look at the links I gave and look at this link.
https://laracasts.com/discuss/channels/laravel/using-laravel-policy-to-filter-eloquent-query
Because sometimes a user can see their own data yet an admin can see anyone's data. So restricting a whole controller it's not really a good idea.
The only time this is a good idea is take a hospital where Physicians have separate logins all together than patients.
As said I am now using scopes, like:
public function scopegetPets($query, $petsearch = '')
{
$petsearch = $petsearch . "%";
$query->where('petname', 'like', $petsearch);
if (ChkAuth::userRole('admin') === false) { // I have custom RBAC helpers
$userid = Auth::user()->id;
$query->where('ownerid', '=', $userid);
}
$results = $query->orderBy('petname', 'asc')->paginate(5);
return $results;
}
But all RBAC has the same purpose, a logged in user either can or cannot do something. Or a user can see and edit their own data, not someone else's. That's where the Auth::user()->id comes in.
A spatie example:
public function update(Request $request, Post $post) {
if ($post->author !== auth()->user()->id || auth()->user()->cannot('edit posts'))
abort(404);// or some other
}
}
So no matter if you use laravel's authorization, spatie, or custom rbac, the goal is the same.
I use the out of box authentication, but have custom helpers to work with that and roles I setup.
But until you know php and frameworks well, I would not suggest attempting your own rbac.
I would also suggest writing all out with pencil and paper first.
Even Jeffrey in a video mentions, it is tricky at first til you begin learning it. Security is something to take your time and learn correctly.
I would also suggest taking a good general RBAC tutorial, so later you will know how to write and use it.
Namely, a system that can be used in laravel, cakephp, or yii2. Or even another language if needed, with just small tweaks.
I try to not write everything "framework" biased.
1 like
Level 1
Great stuff. Thank-you for the examples and the links! Very helpful.
I am reviewing the tutorial as well as you have mentioned. The query scope will be useful on a few of the sections on my website!
Thanks again,
Jeremy
Please or to participate in this conversation.