Level 54
you may consider policy or gate
some lessons that may give you a clear pictures: https://laracasts.com/search?q=acl
Dec 11, 2020
2
Level 1
Permissions check in save methods
Hey everyone :)
I created a role permissions system where I have in database all of my features (basically those are controllers methods). I have a users table bound to roles table, and I'll bind the roles to the methods.
I was wondering if there is any need of checking if the role has right to access the method that handles saving data.
Exemple : In a PostController, in the "create" method (method that loads the view containing the form) I check If the user has the role "Post creator". Should I also do the same check in the store method (the method that save the post) ?
Don't really know how @crsf token works behind the scenes, and I was wondering if there is a way to post data to the saving methods without having access to the methods that load the views.
Level 15
You should check on both create and store. The csrf token prevents someone from making a post request to your server through a tool like postman. But it would not prevent someone from hijacking another post request on your website. Say the login form, they could use the developer tools to instead of posting to /login they could change it to post to another route like maybe you store Transactions in your database, they would post to /transactions and supply the correct data to create a transaction, and even though they have not got permission to create this, they could feasible create a transaction in the database.
Please or to participate in this conversation.