Do I need to use a middleware auth on the controller if I use Gates from Laravel?

Asked

Viewed 710 times

0

It’s safe to remove an authentication middleware from a controller if I’ve already set a Gate on Laravel?

I did so:

In Authserviceprovider.php

Gate::define( 'admin', function ( $user ) {
    return $user->cargo_id == '3';
} );

En route

Route::middleware( 'can:admin' )->prefix( 'admin' )->group( function() {

    Route::get( '/', function() {

        return view( 'admin.home' );

    } );

On the controller I had:

public function __construct()
{

    $this->middleware( 'auth' );

}

When the user accesses the page, instead of redirecting to the login, removing the middleware from the controller directly returns a permission error. I prefer it that way, but this is correct in terms of security?

laravel security-guard authorization

2 answers

1

It doesn’t make sense what you want to do.

One thing is the middleware auth, another is Gate. One checks authentication, another checks permission.

The middleware auth is intended to allow user access when user is authenticated. If not authenticated, Laravel returns 401 for JSON requests, or redirects to login in case of web request.

The purpose of the Gate is to define what can be accessed by a certain user or not. One authenticated user may have access to one resource, and the other may not. And this is where the Gate role comes in!

For example, the user who has the nivel_id 1 you can see the sign up button, what has the value 2 can’t.

In that case, you would create a Policy or through Gate::define that such a user can access this button. The return of a method or callback of the Gate must return a boolean, to indicate whether the user has permission or not.

  • What doesn’t make sense? I read the documentation from the library, I understood the role of authentication and the Gate, about this apparently all ok. My doubt is what this above.

  • It makes no sense to want to use the Gate without the authentication middleware.

  • I’m sorry to insist, but I need to know, why doesn’t it make sense? In my case, without auth in the controller, the unauthenticated user, instead of being redirected to the login page, sees a 403. And the authenticated user who doesn’t have access also sees a 403. Apparently it worked, my question is whether this is somehow wrong in terms of safety.

  • This is why I am asking - https://laravel.com/docs/5.7/authorization#guest-users. Where it says "By default, all Gates and policies Automatically Return false if the incoming HTTP request was not initiated by an authenticated user. "

  • @Flavio You just said yourself why you were wrong by accident. When the user is not authenticated, he cannot see 403. The right code for unauthenticated user is 401. The 403 should be used for when the person is authenticated, but cannot access the resource. The 401 should be used to identify that there is no authentication. They are two different things. That’s why I said it makes no sense. You would need to understand this point. Even if the documentation says it does so by default, the return status will go wrong. It’s better to go the right way than the easy way.

  • 1

    I see what you mean. I added the middleware to Rota, it was like this - Route::middleware( [ 'auth', 'can:admin' ] ) - when the user tries to access it first asks for authentication. After authentication, if the user does not have access see 403.

  • That’s right, that’s right

Show 2 more comments

0

Hello, I was having that doubt, but I went to hit my head and it was like this:

Controller:

public function __construct()
{
    $this->middleware('auth');
    $this->middleware('can:admin');
}

You are checking first if he is logged in and then your permission.

Browser other questions tagged laravel security-guard authorization

You are not signed in. Login or sign up in order to post.