Send user a link that will show them the registration form that they filled up and update them.
I'm creating a project in which a user needs permission from the admin. When the admin accepts the user's application a password reset link is sent to the user which gives the user access to the account however if the admin denies the application a request to update the application should be sent with the link to the form that they filled up already populated with the data that the admin denied.
Is there a way to do this?
You just need to create a route with the Registration form you want them to edit and have them edit the form there.
Since there is no password created at this point, your only protection would be to send a signed link, this will make sure that only the user with the link will have the ability to edit the registration form. (https://laravel.com/docs/9.x/urls#signed-urls)
Also, I would add a UUID to your registration model, and use that in the route instead of the conventional id. It's a bit more 'secure' than to just pass an integer in the route.
@undeportedmexican
I'm trying to send the user to this link however instead of the user being redirected to this view instead it is being redirected to the log in page. I'm using Fortify for my registration, verification and password resets.
Does Fortify have something to do with this problem?
I checked the route and removed the middleware but still the same thing happens.
Route:
Route::prefix('user')->name('user.')->group(function(){
Route::get('profile', Profile::class)->name('profile');
});
Controller:
<?php
namespace App\Http\Controllers\User;
use App\Http\Controllers\Controller;
use Illuminate\Http\Request;
class Profile extends Controller
{
public function __invoke()
{
return view('user.profile');
}
}
View file:
@extends('template.main')
@section('content')
<h1>Update Profile</h1>
<form method = "POST" action="{{route('user-profile-information.update')}}">
@method("PUT")
@csrf
<div class="mb-3">
<label for="name" class="form-label">Name</label>
<input name ="name" type="text" class="form-control @error('name') is-invalid |@enderror" id="firstname" aria-describedby="name" value= "" >
@error('name')
<span class ="invalid-feedback" role="alert">
{{$message}}
</span>
@enderror
</div>
<div class="mb-3">
<label for="middlename" class="form-label">Middle Name</label>
<input name ="middlename" type="text" class="form-control @error('middlename') is-invalid |@enderror" id="middlename" aria-describedby="middlename" value= "" >
@error('middlename')
<span class ="invalid-feedback" role="alert">
{{$message}}
</span>
@enderror
</div>
<div class="mb-3">
<label for="lastname" class="form-label">Last Name</label>
<input name ="lastname" type="text" class="form-control @error('lastname') is-invalid |@enderror" id="lastname" aria-describedby="lastname" value= "" >
@error('lastname')
<span class ="invalid-feedback" role="alert">
{{$message}}
</span>
@enderror
</div>
<div class="mb-3">
<label for="email" class="form-label">Email address</label>
<input name="email" type="email" class="form-control @error('email') is-invalid |@enderror" id="email" aria-describedby="email"value= "">
@error('email')
<span class ="invalid-feedback" role="alert">
{{$message}}
</span>
@enderror
</div>
<button type="submit" class="btn btn-primary">Submit</button>
</form>
@endsection
@undeportedmexican I checked the routes in Fortify in the vendor files and removed the auth middleware. It works now but I presume that this isn't good practice right?
@Bunnypants no, not good practice. now anyone can update any profile
which is why you are getting null for the user passed into the fortify profile update. The user should be authenticated before allowing them to edit their profile
@Snapey@bunnypants
I understand that your use case requires the user not to be authenticated in order to update their profile (because the user doesn't have an account at this point, it needs to be authorized by admin first).
So you would need to create a new view (don't use fortify's view). And protect this view using a signed link.
public function destroy($id,Request $request)
{
$user = User::findOrFail($id);
$email = $user->email;
if(!$user){
$request->session()->flash('error','You can not delete this the user');
return redirect(route('admin.users.index'));
}
$url = URL::signedRoute('user.profile' , ['email'=> $email]);
$updatedata =[
'body'=> 'Your enrolment application has been denied',
'message'=> 'You are allowed to update your form',
'url'=> $url,
'thankyou'=> 'You have 3 days to update your form'
];
Notification::send($user, new UpdateForm($updatedata));
$request->session()->flash('success','You have deleted the user');
return redirect(route('admin.users.index'));
}
URL:
http://127.0.0.1:8000/user/profile/[email protected]?signature=79a03a037f06d5b4e635bbd4384eaa9d2a69eb66eccae041eb44143514001d9b
