Restricting Routes or controllers for auth status #257
-
|
So I'm still very new to MVC and CI/Shield, working on my first project on it. How do I go about restricting or making sure people can't access areas they're not authorized for? In my layout file I've figured out how to use loggedIn and can to control the loggedIn and authorized areas in the view/layout: helper("auth");
$user = auth()->user();
if (auth()->loggedIn()) {
...
if($user->can("airports.admin")) {How do I ensure if somehow they access it? Do I try a filter on a route? From the way I read the filter code, all it does is check if loggedIn, not if they can access an area, or do I daisy chain a filter with a can access function in the route, or do I write it in the controller? |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 13 replies
-
|
See #250 (comment) |
Beta Was this translation helpful? Give feedback.
-
|
All I can see from that is a filter for the route that shows logged in. Not whether they're authorized for that route/section. Same with reading the code for the various included filters, all it checks for is if they're logged in, not a verification of authorization. If I'm missing something let me know, but this is what I'm think I'd need to do to secure routes, but this feels cumbersome for a heavy admin interface:
|
Beta Was this translation helpful? Give feedback.
-
|
I feel the way is not good. You can write your own filter that checks permissions, |
Beta Was this translation helpful? Give feedback.
-
|
I agree with Kenjis, and recommend creating a filter that accepts the permissions you want to check as parameters. Shield doesn't have this but Myth (it's predecessor) does and it should be fairly easy to adapt to the Shield way of doing things: https://github.com/lonnieezell/myth-auth/blob/develop/src/Filters/PermissionFilter.php |
Beta Was this translation helpful? Give feedback.
-
|
Yeah, it sounds like a PermissionFilter would be handy to bring across. Looks like the initial port missed that and it's a good feature. |
Beta Was this translation helpful? Give feedback.
-
|
The example is here.
$routes->get('/admin/airports', 'Admin::airports', ['filter' => 'permission:admin.airports']);
<?php
namespace Shield\Filters;
use CodeIgniter\HTTP\RequestInterface;
use CodeIgniter\HTTP\ResponseInterface;
use CodeIgniter\Filters\FilterInterface;
use Shield\Exceptions\PermissionException;
class PermissionFilter implements FilterInterface
{
public function before(RequestInterface $request, $params = null)
{
if (empty($params)) {
return;
}
if (!function_exists('auth')) {
helper('auth');
}
if (!auth()->loggedIn()) {
return redirect()->to('login');
}
$result = true;
foreach ($params as $permission) {
$result = $result && auth()->user()->can($permission);
}
if (!$result) {
throw new PermissionException(lang('Auth.notEnoughPrivilege'));
}
}
// ------------------------------------------------------------------------
public function after(RequestInterface $request, ResponseInterface $response, $arguments = null)
{
// Do nothing
}
} |
Beta Was this translation helpful? Give feedback.
-
|
which folder do i put this in, please?? because I cant get it to work. |
Beta Was this translation helpful? Give feedback.
-
Beta Was this translation helpful? Give feedback.
-
|
I set it up this way: App\Filters\PermissionFilter.php I don't know enough about namespacing to provide a detailed answer, but in this case, a filter stored as App\Filters<filename.php> should be namespaced to App\Filters. |
Beta Was this translation helpful? Give feedback.
-
|
@jlopes90 |
Beta Was this translation helpful? Give feedback.
-
|
PR #393 |
Beta Was this translation helpful? Give feedback.
The example is here.
App\Config\Routes.phpApp\Filters\PermissionFilter.php