CODEWITHSUNDEEP
phplaravel-5
Subrata
Subrata

Reputation: 175

Laravel 5.0 multiauth

I have an application which has two parts back-end, and front-end. In the back-end admin can log in, and in the front-end the client can log in. Now it has been implemented. All application's query is done by logged in user id in both admin and client end.

Now my app needs a functionality where admin can view client data as same as client see their profile.There are a lot of things in client end. I can you use Auth::loginUsingId($client_id). Here client profile is showing perfectly but admin loggin session is lost as expected.

How to achieve this while admin login remain and admin can see client full data?

Upvotes: 6

Views: 212

Answers (5)

Robin Singh
Robin Singh

Reputation: 91

I think middleware is the best possible option to filter the content between the admin and the normal user,because the code in the middleware run before any function call.

You just only need to set the usertype in the session and filter accordingly.

Visit:https://laravel.com/docs/5.4/middleware

Upvotes: 1

shukshin.ivan
shukshin.ivan

Reputation: 11340

Let me introduce the simpliest way to have login as client functionality. First, define asuser and returnback routes.

Routes and actions

Route::get('/asuser/{user}', 'AdminController@asuser')
        ->where('user', '[0-9]+')
        ->name('asuser');
Route::get('/returnback', 'ClientController@returnback')
        ->name('returnback');

In admin's controller:

public function asuser(User $client, Request $request) {
    /* insert checking if user has right either here with some field 
     * like $user->is_admin or using middleware settings and Policy
     */
    # who user is
    $fromId = Auth::user()->getId();

    # logging as a client
    Auth::login($client, true);

    # but keeping admin in a session
    $request->session()->put('adm_id', $fromId);

    return redirect()->route('some-client-route')
                    ->with('status', 'You are logged in as a client');
}

And for returning back ClientController

public function returnback(Request $request) {
    $fromId = Auth::user()->getId();

    # getting admin id
    $admId = $request->session()->pull('adm_id');
    $adminUser = User::find($admId);

    if (!$adminUser) {
        return redirect()->back()
                        ->with('status', 'Not allowed');
    }

    # logging out as a client and logging in as admin
    Auth::logout();
    Auth::login($adminUser, true);

    return redirect()->route('some-admin-route')
                    ->with('status', 'Welcome back!');
}

Is it ready for production

No, it's not. That's not a great solution, it's just a glimpse how to use it. Sessions have lifetime, so if admin doesn't return back in its lifetime, session variables are lost and he becomes a client (if remember me=true, as in the code above). You can store value not in a session but in a database column.

In addition as t1gor mentioned, you must pay attention to the fact that you can't log client's actions and send events when admin is a client. That's the most serious problem of logging as a client. Anyway, I suppose, it is easier to solve that, than to move all the auth logic out of the views.

Well, hope it is helpful.

Upvotes: 3

t1gor
t1gor

Reputation: 1292

I would rather suggest you separate the view logic e.g. business logic into some common layer rather then doing a "login-as-client" functionality. Even though it looks like a short-cut, you'll have a whole lot of things to think about.

For instance, how do you log application events now? Add a check everwhere that the session has a adm_id and log it instead of userId? This is just one example.

What I would have done:

  1. Separate the view (e.g. user profiles, user content, etc.) from the session so that it is accessed by the ID in the URL or whatever else method, not by currently logged in user id.

  2. Implement a propper role-based ACL. There are plenty of packages already. In your example, you wouold have an admin role and a client role, both havin permission object view-client-profile, for instance.

In the end, this might take a lot more time for development, but would defenitely save you some time debugging/troubleshooting with the angry client on the phone. Hope that helps.

Upvotes: 1

Homer
Homer

Reputation: 467

I think a good way to manage client/user profiles is to implement an user management section at your backend, display and edit your users and their profiles there.

Upvotes: 2

Nils Rückmann
Nils Rückmann

Reputation: 603

Laravel does not provide mixed sessions. You can only be authenticated as one user at a time. If you really need this kind functionality in Laravel 5.0 you could solve this by hackish user ping-pong (e.g. login temporarily as client and switching back to admin right after).

But it seems like your problem is more Authorization-related (in contrast to Authentication). Laravel implemented an authorization layer in v5.1.11. Since v5.0 is not supported anymore you should update regardless of this feature.

You can find more information about authorization in the official documentation: https://laravel.com/docs/5.1/authorization

Upvotes: 1

Related Questions