Problem with filters and routes in the Laravel

Asked

Viewed 788 times

2

Hi. I am creating an api in the.

And I have a problem with routes and filters for access. I have client, operator and administrator levels.

I have routes that are common for client, operator and administrator, I have routes for operator and administrator and I have routes exclusively for administrator.

I tried to make the groups like this:

Route::group(array('prefix' => 'api/v1', 'before' => 'auth.basic'), function(){
// Rotas em comum
Route::resource('type', 'TypeController');
Route::resource('state', 'StateController');
Route::resource('solicitation', 'SolicitationController');
Route::resource('client', 'ClientController');

// Rotas do operador
Route::group(array('before' => 'auth.operator'), function()
{
    Route::resource('location', 'LocationController');
    Route::resource('login_desktop', 'LoginDesktopController');
});

// Rotas do administrador
Route::group(array('before' => 'auth.administrator'), function()
{
    Route::resource('employee', 'EmployeeController');
    Route::resource('jobtitle', 'JobTitleController');
    Route::resource('location', 'LocationController');
    Route::resource('login_desktop', 'LoginDesktopController');
});});

And these are the filters:

Route::filter('auth.administrator', function(){
$user = Auth::user();
if($user->permission !== 'administrator')
{
    return Response::json(array(
        'error' => true,
        'message' => 'Você não tem permissão para acessar este serviço.'),
        403
    );
}});

Route::filter('auth.operator', function(){
$user = Auth::user();
if($user->permission !== 'operator')
{
    return Response::json(array(
        'error' => true,
        'message' => 'Você não tem permissão para acessar este serviço.'),
        403
    );
}});

Route::filter('auth.client', function(){
$user = Auth::user();
if($user->permission !== 'client')
{
    return Response::json(array(
        'error' => true,
        'message' => 'Você não tem permissão para acessar este serviço.'),
        403
    );
}});

More when I log in as an administrator-level account the route normally works, more when I log in as the error operator in the validation.

The error is that it enters the operator filter and then it enters the administrator filter.

I wonder if you can validate for operator only without entering the administrator filter.

php laravel api rest

  • I’ve had that problem. For every Route::group, you will have to give an if to check if the level of the group route is the same that comes from Auth::user(). The problem is that it seems that for Route::controller and Route::Resource, Laravel only accepts to register a validation once.

  • Or you can make an implementation of an ACL in Laravel. (I made it into two systems that use Laravel, and I think it looks really good!). Example: http://ollieread.com/blog/2014/03/18/a-simplified-laravel-acl/

1 answer

2


Try merging routes to the same Source in a new filter, for example

Route::filter('auth.administrator_or_operator', function(){
   $groups = ["administrator", "operator"];

   if(!in_array($user->permission, $groups)){
       return Response::json(array(
         'error' => true,
         'message' => 'Você não tem permissão para acessar este serviço.'),
         403
       );
   }
});

Then the routes would stay:

Route::group(array('prefix' => 'api/v1', 'before' => 'auth.basic'), function(){
// Rotas em comum
Route::resource('type', 'TypeController');
Route::resource('state', 'StateController');
Route::resource('solicitation', 'SolicitationController');
Route::resource('client', 'ClientController');

// Rotas do operador
Route::group(array('before' => 'auth.operator'), function()
{
    //não ficou nada aqui
});

// Rotas do administrador
Route::group(array('before' => 'auth.administrator'), function()
{
    Route::resource('employee', 'EmployeeController');
    Route::resource('jobtitle', 'JobTitleController');
});});

Route::group(array('before' => 'auth.administrator_or_operator'), function(){
    Route::resource('location', 'LocationController');
    Route::resource('login_desktop', 'LoginDesktopController');
});

This all because the routes have the same name, another solution would be to give different names to them: Location-admin, Location-Operator ...

  • You can also use the Zizaco packages, which are more complete for authentication and user levels: https://github.com/Zizaco/entrust and https://github.com/Zizaco/confide

  • Or use Sentry: https://cartalyst.com/manual/sentry/2.1#Laravel-4

  • 1

    I did it this way here, but the only problem is that if I’m going to restrict access to some routes to the Operator like "Location.delete", I won’t be able to do it by the route file. But this is not a big problem because I can restrict in the controller, but I will study the other two solutions you gave me.

Browser other questions tagged php laravel api rest

You are not signed in. Login or sign up in order to post.