Access Control in Laravel

Transcript

1. Access Control in Laravel

2. Access Control in Laravel

3. What is Access Control?

4.    ACL 403 200

5. How to do that in Laravel?

6. public function index() { //check access if(Gate::denies('view-post-list')) { abort(403); }

   $posts = Post::all(); return response()->json($posts); } denies allows check

7. But, where do I define the 'ability'?

8. class AuthServiceProvider extends ServiceProvider { ... public function boot(GateContract $gate)

   { $this->registerPolicies($gate); //Definition of access control $gate->define('view-post-list', function ($user) { return $user->isModerator(); }); } }

9. But I wan't to give access selectively

10. public function edit(Request $req, $id) { $post = Post::findOrFail($id); //check

    access if(Gate::denies('edit-post',$post)) { abort(403); } return response()->json($post); }

11. Now, How to define this?!

12. $gate->define('edit-post', function ($user, $post){ return $user->id === $post->user_id; });

13. What if I'm a Super Admin?

14. $gate->before(function ($user, $ability){ if ($user->isSuperAdmin()) { return true; } });

15. How to log failed Gate checks?

16. $gate->after( function ($user, $ability, $result, $arguments){ if (!$result) { //Log

    here } });

17. Cleaner way to define abilities

18. $gate->define('update-post', 'Class@method'); Defining in classes

19. php artisan make:policy PostPolicy Defining Policies

20. protected $policies = [ Post::class => PostPolicy::class, ]; Advantages Cleaner

    Code Implicitly identifies Policy to use

21. Blade 'can'!

22. @can('edit-post', $post) <a href='{{ url('post.edit',$post->id) }}'>Edit Post</a> @else <a class='disabled'

    href='{{ url('post.edit',$post->id) }}'> Edit Post </a> @endcan

23. Simple Implementation

24. Schema::create('users', function (Blueprint $table) { $table->increments('id'); $table->string('name'); $table->string('email')->unique(); $table->string('password'); $table->string('roles');

    $table->rememberToken(); $table->timestamps(); }); Add roles to user

25. class User extends Authenticatable { ... protected $casts = [

    'roles' => 'collection' ]; } Cast roles to Collection

26. $gate->define('create-post', function($user){ return $user->roles->contains('author'); }); Define the abilities

27. Now 'Gate!!!' public function create(Request $req) { //check access if(Gate::denies('create-post'))

    { abort(403); } return view('post.create'); }

28. Thank you! www.fareez.info [email protected]