4

I'm developing a Laravel ACL System. My base Table's are users,roles,permissions and pivot tables are role_user,role_permission,user_permission.

I want to check User Permissions using my custom middleware HasPermission. I have tried this way but it's not working properly. every user can access the all the permissions which have or have not.

Now, How can I solve the issue. Please see my code sample.

My Controller.

function __construct()
{
    $this->middleware('auth');
    $this->middleware('HasPermission:Role_Read|Role_Update|Role_Delete');
}

My Middleware.

class HasPermission
{

public function handle($request, Closure $next,$permissions)
{

    $permissions_array = explode('|', $permissions);
    // $user = $this->auth->user();
    foreach($permissions_array as $permission){
        if(!$request->user()->hasPermission($permission)){
            return $next($request);
        }
    }

    return redirect()->back();

 }
}

and, my User Model method.

public function user_permissions()
{
    return $this->belongsToMany(Permission::class,'user_permission');
}

public function hasPermission(string $permission)
{
    if($this->user_permissions()->where('name', $permission)->first())
    {
        return true;
    }
    else
    {
        return false;
    }

}
Improve this question
2
  • i'm used hasPermission method inside User Model to check the User Permission. Commented Jul 3, 2018 at 12:26
  • I solve it following this solution: enter link description here Commented Feb 1, 2019 at 19:00

4 Answers 4

Reset to default
0

Best way to do is that you need to introduce an new service provider and in that you can check the authorization and permissions.

I made a test project (last year) for db driven permission and I used service provider.

That's the perfect way to implement.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Well, yes i can. Please share your email so I will send code and test db Thanks
my email id is [email protected]
Just added you in a bitbucket repo. YOu need to import database file manually (located in database folder .sql) Further, you may contact at [email protected] and upvote here :)
I can't see anything.
Not now after checking that :)
0

Basically !$request->user()->hasPermission($permission) is saying if the user associated with the request does not have this permission the middleware passes, however this is not what you want. Here's what you should do:

If you need the user to have one of the stated permissions you need to do:

class HasPermission
{

    public function handle($request, Closure $next,$permissions)
    {

        $permissions_array = explode('|', $permissions);
        foreach($permissions_array as $permission){
            if ($request->user()->hasPermission($permission)){
                return $next($request);
            }
        }    
       return redirect()->back();    
    }
}

If you want the user to have all stated permissions you need to do:

class HasPermission
{

    public function handle($request, Closure $next,$permissions)
    {

        $permissions_array = explode('|', $permissions);
        foreach($permissions_array as $permission){
            if (!$request->user()->hasPermission($permission)){
                return redirect()->back();                        
            }
        }    
        return $next($request);
    }
}

As an added note if you want to do this in a more elegant way you can do:

class HasPermission
{

    public function handle($request, Closure $next, ...$permissions_array)
    {    
       //Function body from above without the explode part
    }
}

And 

function __construct()
{
   $this->middleware('auth');
   $this->middleware('HasPermission:Role_Read,Role_Update,Role_Delete');
}

If you use commas then the framework will split the string into arguments for you .

Improve this answer

1 Comment

Hi sir, I just use your code, but like I gave the user (edit and delete) then put __construct in controller but even he does not has permission to edit, he can open the edit page or even delete!
0

In my case i just added simple function to get permissions from database and then check it Middleware. Check this code:

// Add new function to get permissions from database 

public static function user_permissions($user) {

$permissions=DB::table('permissions')->where('user_id', $user)->first();
return $permissions; 

}

// In Middleware check your permissions

   if(Auth::guest())
    {
        return redirect('/');
    }

elseif(Functions::user_permissions(Auth::user()->id)->user_managment != 1) {

 return redirect('/');

} else {
    return $next($request);
}
Improve this answer

Comments

0

In web.php/api.php:

Route::middleware('hasPermission')->group(function() { // for all routes
    Route::get('/article', [ArticleController::class, 'index'])->name('article.index');
});

in middleWare:

class HasPermission
{

    public function handle($request, Closure $next)
    {
        $routeName = Request::route()->getName();
        $permission = $user->permissions()->where('route_name', $routeName)->first();
        if ( ! empty($permission)){
            return redirect()->back();                        
        }
        return $next($request);
    }
}
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.