CODEWITHSUNDEEP
laravel-5laravel-backpack
Rodrigo Cabrera
Rodrigo Cabrera

Reputation: 164

backpack for laravel trying to implement permissions, roles

i've installed permission manager for the backpack crud package,it lets me to implement permissions, roles, users, but there's no example where to put the code to validate a user satisfy the requirements.

for example : i added the code below inside function setup() in my equipment controller and it shows an error , should i use middleware in routes??

i recently created the middleware :

 class RoleMiddleware
 {
/**
 * Handle an incoming request.
 *
 * @param  \Illuminate\Http\Request  $request
 * @param  \Closure  $next
 * @return mixed
 */
public function handle($request, Closure $next, $role, $permission)
{      


     // dd($request->user()); 
     // if (!Auth::user()->hasRole($role)) { 

     //      Alert::add('error', 'You do not have necessary authorization to access to the page')->flash(); return redirect('home'); 
     // } 

    // dd($request->user());
     if (Auth::guest()) {

       return redirect(url(config('backpack.base.route_prefix').'/login'));
      }

     dd($request->user()->hasRole($role));  //si pregunta si tiene el rol de administrador
     if (!$request->user()->hasRole($role)) {

         Alert::info('You do not have necessary authorization to access to the page Role');
        // abort(403);
      }

    if (!$request->user()->can($permission))  // pregunta si tiene el permiso de back_end
    {

        Alert::error('You do not have necessary authorization to access to the page Permission');
        abort(403);
     }


    return $next($request);
}

}

my routes : 

    Route::group(['middleware' => ['admin','role:admin,access_backend']], function() {

CRUD::resource('equipos', 'EquiposCrudController');
CRUD::resource('regiones', 'RegionesCrudController');
CRUD::resource('parametros', 'ParametrosCrudController');
CRUD::resource('estaciones', 'EstacionesCrudController'); 
}

What if i have an user Editor that has 1 Role "Edit" and Permission "back_end" and "edit" , having the middleware setup like that only accepts my Editor user only if it comply with admin role. right?? should i add to my editor user the role admin as well? the problem being that role admin has permission to everything.

i'm intended to implement the code below dynamically on each controller,instead of asking for every role. any alternatives?

class EquiposCrudController extends CrudController
{

 public function setup() {

   if($user->hasRole('editor')){

        $this->crud->denyAccess(['create','delete']);
    }

   if($user->hasRole('usuario')){

      $this->crud->denyAccess(['create','delete','update']);
   }

Upvotes: 1

Views: 3683

Answers (2)

Abdenacer Rachedi
Abdenacer Rachedi

Reputation: 39

try this :

$user = Auth::user();

if($user->hasRole('editor')){
    $this->crud->denyAccess(['create','delete']);
}

if($user->hasRole('usuario')){
  $this->crud->denyAccess(['create','delete','update']);
}

Upvotes: 4

user320487
user320487

Reputation:

Yes middleware is a good choice for checking a user's authentication and authorization levels. You can easily interrogate the request object and redirect accordingly. The actual authentication (logging in / out) of the software should be handled by a controller.

Look into Laravel's Gates and Policies as well, they provide a fine tuned level of access for individual users, such as you mentioned where a User has specific permissions.

This is an excellent place to get started with all this:

https://josephsilber.com/index.php/posts/2016/08/03/authorization-improvements-in-laravel-5-3

Upvotes: 1

Related Questions