laravel-acl icon indicating copy to clipboard operation
laravel-acl copied to clipboard

Published 20 hours ago verified publisher icon kodeine

Protecting Routes, using different roles ( unsolved in the other issue with the same name)

Open srueda27 opened this issue 9 years ago • 3 comments

First of all, sorry for creating a new issue, but I didn't know if you look at closed issues.

I'm having a issue just like this one and I already changed my code to match this post. I have 3 roles and I need to give all access to two of them and just one to the other one.

$permission = new Permission();
$adminAgentPermision = $permission->create([
    'name'  =>  'customers',
    'slug'  =>  [
        'create'     => true,
        'view'       => true,
        'update'     => true,
        'delete'     => true,
    ],
    'description'   => 'manage crud of customers for administrators and agents'
]);

$permissionCustomer = Permission::create([
    'name'        => 'customers.customer',
    'slug'        => [ // an array of permissions only for supervisor
        'delete' => false,
        'view'  =>  false,
        'create'  =>  false,
    ],
    // we use permission inheriting.
    'inherit_id' => $adminAgentPermision->getKey(),
    'description' => 'manage update for customers'
]);

$roleCustomer->assignPermission($permissionCustomer);

$roleAdministrator->assignPermission($adminAgentPermision);
$roleAgent->assignPermission($adminAgentPermision);

After that I managed the routes like this:

Route::group(['middleware' => ['jwt.auth', 'acl'], 'is' => 'customer'], function () {

Route::resource('customers', 'CustomerController', ['only' => ['update']]);

});

//SERVICIO SOBRE GESTIÓN DE CUSTOMERS PARA ADMINISTRADORES Y AGENTES Route::group(['middleware' => ['jwt.auth', 'acl'], 'is' => 'administrator|agent', 'protect_alias' => 'customers'], function () {

    Route::resource('customers','CustomerController');

}); But at the end what I get is that the Administrator/Agent has all the access and the Customer has no access.

If I change the route of the Customer to this:

Route::group(['middleware' => ['jwt.auth', 'acl'], 'is' => 'customer'], function () {

Route::put('customers/{id}', 'CustomerController@update');

}); What happens is that the Customer has access to this resource (and nothing else) but the Administrator/Agent is unauthorized (with access to view, create and delete).

srueda27 avatar Nov 06 '15 22:11 srueda27

What I would do is to create separate route controller/group for customer with your specific rights. And when a customer logins you can redirect them to that route. From what i can tell you are trying to give different rights on the same route for different roles. I may be wrong.

andreiculda avatar Jan 29 '16 10:01 andreiculda

agree with @andreiculda

kodeine avatar Jan 31 '16 18:01 kodeine

can it work this way?

Route::resource('customers','CustomerController', ['protect_alias'  => 'perm_alias', 
'protect_methods' => [
        'create' => ['someMethod', 'anotherMethod'],
        'read'   => ['readMethod', 'showMethod'],
        'view'   => ['readMethod', 'showMethod'], // its same as read.
        'update' => ['editMethod'],
        'delete' => ['destroyMethod']
]]);

I tried it, but this failed. is that normal?

AyodejiO avatar Jun 23 '16 09:06 AyodejiO