How to correctly implement user authorization in Laravel?

V

vlad31442019-04-13 15:30:54

Laravel

vlad3144, 2019-04-13 15:30:54

There are tables, "usrers", "usres_roles", "users_has_roles".
I made a user registration through a regular form, with the addition of a many to many relationship model. So that when a user registers, he is automatically assigned the "user" role and entered data in the "users_has_roles" table, in the user_id and role_id fields, respectively.
Through the usual Auth::attempt, data is taken only from the "users" table.
How can I correctly implement so that the user is assigned his roles during authorization?
For example, I would like Auth to store the "user_role" field. And already on the basis of the data contained in this field, it would be possible to check the user's access to the page through middleware.

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

J

jazzus, 2019-04-14
@vlad3144

Create intermediate tables
user_roles with keys user_id role_id to link roles to users
role_perms with role_id perm_id to link roles to rules
Relation in user to role

public function roles() {
  return $this->belongsToMany('App\Models\Role', 'user_roles', 'user_id', 'role_id')
                ->withPivot('active');
}

In role perm

public function perms() {
 return $this->belongsToMany('App\Models\Perm', 'role_perms', 'role_id', 'perm_id');
}

Add the necessary rules to perm (table id name) of type
CREATE_PROJECT
Permission to create projects.
Write rule validation in the user model. The method iterates over roles and role rules. If it finds a rule passed from the provider, returns true.

public function hasPerm($perm_id) {
      foreach ($this->roles as $role) {
        foreach ($role->perms as $perm) {
          if ($perm_id==$perm->id) {
            return true; }}}
    }

Add to AuthServiceProvider.php in boot. The check is done by the name of the rule (eg CREATE_PROJECT). Search by id in the hasPerm method

$perms = Perm::get();
foreach ($perms as $perm) {
   Gate::define($perm->name, function($user) use($perm) {
   return $user->hasPerm($perm->id);
   });
}

Link the rules and roles in advance through attach
When registering (or at another time, for example, with your hands in the admin panel), you assign a role to the user through attach.
Eventually.
In blade templates, you can restrict access to any element through the can directive

@can ('CREATE_PROJECT')
<input type="button" value="Создать проект">
@endcan

In controllers access to methods through Gate

public function store (ProjectRequest $request) {
    //доступ к методу
    if (Gate::denies('CREATE_PROJECT')) {
           abort(404);
     }
}

Create Middleware to restrict access to routes. There's a check

if($user->hasRole($roleId)){
   return $next($request);
}
return redirect('/');

If the user has a role, then he lets on, if not, then redirect to the main one. The hasRole method returns true/false on user, checking if the user has a role.

public function hasRole($id) {
    return $this->roles->contains('id',$id);
}