laravel-acl icon indicating copy to clipboard operation
laravel-acl copied to clipboard

Published 20 hours ago verified publisher icon kodeine

Roles Nested Groups

Open mybigman opened this issue 8 years ago • 3 comments

Hi,

Having an issue with route group protection on nested groups.

Route::group([
        'prefix' => 'application/fast',
        'middleware' => ['web', 'auth', 'acl'],
        'is' => 'god|fast.admin|fast.user',
        'namespace' => 'Modules\Fast\Http\Controllers',
        'as' => "fast."
    ],
    function () {

        ### ADMIN ###
        Route::group([
                'prefix' => 'admin',
                'middleware' => ['logger'],
                'is' => 'god|fast.admin', // <--- ISSUE HERE
                'namespace' => 'Admin',
                'as' => "admin."
            ],

If I remove "|fast.admin" from the ADMIN group I can access the admin page but with it there its permission denied. It doesn't matter what additional roles I add it's still permission denied.

Expected result is all three user roles can access the frontend but ONLY the two roles should access the backend.

Here's a dump of the router with "|fast.admin" removed.

Route {#264 ▼
  #uri: "application/fast/admin"
  #methods: array:2 [▶]
  #action: array:8 [▼
    "middleware" => array:4 [▼
      0 => "web"
      1 => "auth"
      2 => "acl"
      3 => "logger"
    ]
    "is" => array:2 [▼
      0 => "god|fast.admin|fast.user"
      1 => "god"
    ]
    "uses" => "Modules\Fast\Http\Controllers\Admin\HomeController@index"
    "controller" => "Modules\Fast\Http\Controllers\Admin\HomeController@index"
    "namespace" => "Modules\Fast\Http\Controllers\Admin"
    "prefix" => "application/fast/admin"
    "where" => []
    "as" => "fast.admin.index"
  ]

Bug or user error :)

Thanks.

mybigman avatar Feb 14 '17 05:02 mybigman

After some digging appears to be a bug.

"is" appears it needs to be a string in which the second "is" group needs to overwrite the first since it returns both route groups.

Thanks

mybigman avatar Feb 14 '17 06:02 mybigman

As a workaround I have done the following if anyone else needs until there's an official release.

Middleware\HasPermission.php - Line 172

from

    /**
     * Extract required action from requested route.
     *
     * @param string $key action name
     * @return string
     */
    protected function getAction($key)
    {
        $action = $this->request->route()->getAction();

        return isset($action[$key]) ? $action[$key] : false;
    }

to

    /**
     * Extract required action from requested route.
     *
     * @param string $key action name
     * @return string
     */
    protected function getAction($key)
    {
        $action = $this->request->route()->getAction();

        if (! isset($action[$key])) {
            return false;
        }

        $roles = (array) $action[$key];

        return end($roles);
    }

mybigman avatar Feb 14 '17 07:02 mybigman

@mybigman can you please post a PR for the fix? Thanks

also, wouldnt this work?

return isset($action[$key]) ? end($action[$key]) : false;

Also, i dont recall if $action[$key] is suppose to be an array. I have to go through the code again.

kodeine avatar Feb 28 '17 04:02 kodeine