CODEWITHSUNDEEP
phplaravel-5
Ahmad Badpey
Ahmad Badpey

Reputation: 6612

prevent unauthorized users to access admin pages in laravel 5

I try many ways for that but even if users do not logined , can open secret admin pages.
this Route is for admin directory: 

Route::group(
        array (
            'prefix' => 'admin',
        ),
        function () {
            Route::resource('posts', 'postController');

            Route::get('/login', array ('uses' => 'loginController@showForm'));
            Route::post('/login', array ('uses' => 'loginController@checkLogin'));

            Route::get('/logOut', array ('uses' => 'loginController@doLogout'));

        }
    );

And this is my Login Controller : 

namespace App\Http\Controllers;

use App\Http\Requests;
use Illuminate\Support\Facades\Input;
use Illuminate\Support\Facades\Redirect;
use Illuminate\Support\Facades\View;

class loginController extends Controller
{
    public function showForm ()
    {
        return View::make('admin.login');
    }

    public function checkLogin ()
    {
        $data  = \Input::all();
        $rules = array (
            'username' => 'alpha_num|min:3',
            'password' => 'alpha_num|min:3',
        );

        $validator = \Validator::make($data, $rules);

        if ($validator->fails()) {
            return \Redirect::to('admin')->withErrors($validator)->withInput(\Input::all());
        } else {

            $enteredData    =   array(
                'username'  =>  Input::get('username'),
                'password'  =>  Input::get('password')
            );

            if (\Auth::attempt($enteredData)) {
                return \Redirect::to('admin/posts');
            } else {
                echo 'the data is Wrong ';
            }

        }


    }

    public function doLogout(){

        \Auth::logout();
        return Redirect::to('/admin/login');
    }
}

And this part is postController: 

namespace App\Http\Controllers;

use App\Http\Requests;
use App\Post;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;
use Illuminate\Support\Facades\Input;
use Illuminate\Support\Facades\Redirect;
use Illuminate\Support\Facades\View;

class postController extends Controller
{

    public function __construct ()
    {
        var_dump(\Auth::check());
        if (!\Auth::check()) {
            return \Redirect::to('/admin/login');
        }
    }
    /**
     * Display a listing of the resource.
     *
     * @return Response
     */
    public function index ()
    {
        $allPosts   =   Post::all();
        return \View::make('admin.pages.posts')->with('posts',$allPosts);
    }

    /**
     * Show the form for creating a new resource.
     *
     * @return Response
     */
    public function create ()
    {
        return \View::make('admin.pages.post_create');
    }

    /**
     * Store a newly created resource in storage.
     *
     * @param  Request $request
     * @return Response
     */
    public function store (Request $request)
    {
        $data = Input::all();

        $rules = array (
            'post_title' => 'required',
            'post_desc'  => 'required'
        );

        $validator = \Validator::make($data, $rules);

        if ($validator->fails()) {
            return \Redirect::to('/admin/posts/create')
                ->withErrors($validator)
                ->withInput();
        } else {

            $post             = new Post();
            $post->post_title = $data['post_title'];
            $post->post_desc  = $data['post_desc'];
            $post->save();

            return \Redirect::to('/admin/posts');
        }
    }

    /**
     * Display the specified resource.
     *
     * @param  int $id
     * @return Response
     */
    public function show ($id)
    {
        $post   =   Post::find($id);

        return \View::make('admin.pages.show_post')->with('post',$post);
    }

    /**
     * Show the form for editing the specified resource.
     *
     * @param  int $id
     * @return Response
     */
    public function edit ($id)
    {
        $post   =   Post::find($id);
        return \View::make('admin.pages.edit_post')->with('post',$post);
    }

    /**
     * Update the specified resource in storage.
     *
     * @param  Request $request
     * @param  int     $id
     * @return Response
     */
    public function update (Request $request, $id)
    {
        $data = Input::all();

        $rules = array (
            'post_title' => 'required',
            'post_desc'  => 'required'
        );

        $validator = \Validator::make($data, $rules);

        if ($validator->fails()) {
            return \Redirect::to('post/create')
                ->withErrors($validator)
                ->withInput();
        } else {

            $post             = Post::find($id);
            $post->post_title = $data['post_title'];
            $post->post_desc  = $data['post_desc'];
            $post->save();

            return \Redirect::to('admin/posts');
        }
    }

    /**
     * Remove the specified resource from storage.
     *
     * @param  int $id
     * @return Response
     */
    public function destroy ($id)
    {
        $post   =   Post::find($id);
        $post->delete();

        return Redirect::to('admin/posts');
    }
}

Be Care that i add a construct method to control not logged users and Redirect them to login page : 

public function __construct ()
    {
        var_dump(Auth::check());
        if (!Auth::check()) {
            return Redirect::to('/admin/login');
        }
    }

var_dump return true for logged user and false for others But Redirect action do not be.

Where is the problem?

Update :
i change posts route resource to : 

Route::resource('posts', 'postController',array('middleware' => 'auth'));

but it was Ineffective.
However when I change Construct postController to : 

public function __construct ()
    {
        $this->middleware('auth');


    }

it worked fine.

Upvotes: 1

Views: 3389

Answers (2)

Ahmad Badpey
Ahmad Badpey

Reputation: 6612

By @craig_h answer and my researches, I found that I must to separate Login and Logout Routes in another Route Group. when I used this code : 

Route::group(
    array (
        'prefix' => 'admin',
        'middleware' => ['auth']
    ),
    function () {
        Route::resource('posts', 'postController');

        Route::get('/login', array ('uses' => 'loginController@showForm'));
        Route::post('/login', array ('uses' => 'loginController@checkLogin'));

        Route::get('/logOut', array ('uses' => 'loginController@doLogout'));

    }
);

i get This webpage has a redirect loop Error in Chrome because login and logout were in the same Route group that post Resource Route was and when an unauthorized user Returned to login page laravel tries to authenticate him and occurred a redirect loop in the page.

but when separate login and logout Route in another route group like bellow,the problem solved and all things worked fine. 

Route::group(
    array (
        'prefix' => 'admin',
        'middleware' => ['auth']
    ),
    function () {
        Route::resource('posts', 'postController');
    }
);

Route::group(
    array (
        'prefix' => 'admin'
    ),
    function () {
        Route::get('/login', array ('uses' => 'loginController@showForm'));
        Route::post('/login', array ('uses' => 'loginController@checkLogin'));

        Route::get('/logOut', array ('uses' => 'loginController@doLogout'));

    }
);

Upvotes: 0

craig_h
craig_h

Reputation: 32704

The third parameter in the resource route is an array for overriding route names or specifying subsets, it's not for attaching middleware. You can continue to place you authorisation inside your controllers contructor, but if you want to protect the entire admin route you can use a group, like so:

Route::group([
    'prefix' => 'admin',
    'middleware' => ['auth']
], function ()
{
    Route::resource('posts', 'postController');
});

Upvotes: 3

Related Questions