Reputation: 445
Laravel 5.2 custom user permission check
I would like to do a permission check that will disallow users from accessing certain pages and buttons if they do not have permission. In my database, I have a table for users, permissions and then a permission_user table to assign permissions for each user.
Now, I have pages where a table is displayed with all a summary of the data and there are a set of buttons there (view, edit etc.) and some users can't do all of these so I want these buttons to be invisible/disabled. And I don't want them to access the restricted pages linked with these buttons if they type it in the URL (e.g. public/admin/edit/id).
Here are the currently available permissions
PermissionID PermissionName
1 View
2 Add
3 Edit
4 Delete
Now in my permissions_user table it is like this
PermissionID AccountID
1 2
Here is a piece of my controller
public function showDetails($action, $id)
{
return view('pages.admin.form_details', ['action' => $action, 'id' => $id]);
}
This example function will show the details page and return action (string which is either view or edit) and then the checking for display of the view or edit page is done in my blade. If possible, I want to do the checking all at once (Like how you check in every page if user is logged in or not through a middleware). I actually tried zizaco entrust, but I do not understand how to implement it and ended up removing it from my project.
I've been thinking of doing something like this in my show functions for each page controllers.
if($action == "edit)
//check if edit permission exists for the authenticated user. if not abort and show error page.
I think it's inefficient and repetitive to do this. Would there be a better solution? Or maybe a package that I could integrate easier?
Upvotes: 2
Views: 1842
Answers (3)
Reputation: 2501
Laravel 5.2 has a proper functionality for this: Authorizations
I prefer to use Policies to define abilities, as they could be more scalable if your application grows.
Registering policies
protected $policies = [ 'App\Model' => 'App\Policies\ModelPolicy', ]; public function boot(GateContract $gate) { $this->registerPolicies($gate); }Define Policy
public function index(User $user) { return // your validation; } public function create(User $user) { return // your validation; }Checking policies
In your controller:
public function store(ModelRequest $request)
{
$this->authorize('create', $model);
// your code to create a new model
}
In your view:
@can('create', $post)
<!-- If user can create a model -->
@endcan
Important is to check the policies in the controller, using it in that way, user wont be allowed to perform any of the next steps if he doesn't have the right permissions.
In the other hand, there are some packages as mentioned by the other SO users, but your request is really simple, so you can use the Authorizations from Laravel.
Upvotes: 2
Reputation: 931
Laravel include an Authorization system that should work as you need. Did you already checked it? https://laravel.com/docs/5.2/authorization
Upvotes: 0
Reputation: 2272
Laravel 5.2 has a built-in method for authorization:
https://laravel.com/docs/5.2/authorization
Policies are especially good, they represent the kind of permissions you're looking for.
If you need more versatility, take a look at the laravel-permission package by spatie, it adds a lot of features like role management.
Upvotes: 0
Related Questions
- Role based permission to Laravel
- Laravel Blade check user role
- How to check request's permission in Laravel 5
- (Laravel 8) How to check if user permissions are something (No-package, No Spatie)
- Checking permissions in accessors in Laravel
- laravel/ how to check a permissions in blade and controller?
- Laravel: Check Permission for Each Controller
- Laravel 5 User Permissions
- Laravel user capabilities
- Laravel get user with Permissions