Skip to content

Protect Routes

Jump to bottom Edit New page
Abyss edited this page Jul 20, 2017 · 11 revisions

Protecting Routes using middleware

ACL determines if controller have resource methods (index, create, store, etc) or are RESTful. If method names are not resource (different than index, create, store), it goes with RESTful check (HTTP method GET, POST, PUT, DELETE).

In your project if neither of those are viable, protect_methods param must be defined to pass an array of methods which needs to be protected on crud.

For example, when a user views content it will be a GET request, so ACL will check if its a resource method, if not it goes restful and will know its GET method so view has to be protected, hence user must have view.user permission.

If you pass protect_methods, you define your own method names to protect resource.

 [
   'create' => ['store'],    // protects store() method on create.user (create.alias)
   'view'   => ['index', 'create', 'show', 'edit'],     // protects index(), create(), show(), edit() methods on view.user permission.
   'update' => ['update'],
   'delete' => ['destroy']
]

Params definitions.

  • validate if user has a role, ['is' => 'administrator']

  • validate if user has permissions, ['can' => 'view.admin, update.user']

  • protect controller methods, ['protect_alias' => 'user'], will use permission alias of user and will protect crud methods depending on the permissions of that alias.

    For example, if user has permission to view but not update. It will allow HTTP GET method but not PUT. if you need to provide your own controller methods to protect you have to define them as an array.

['protect_alias'  => 'user', 
 'protect_methods' => [
          'create' => ['someMethod', 'anotherMethod'],
          'read'   => ['readMethod', 'showMethod'],
          'view'   => ['readMethod', 'showMethod'], // its same as read.
          'update' => ['editMethod'],
          'delete' => ['destroyMethod']
]];

Protect route group/resource

Protecting routes are easy. Following checks if user has an administrator role.

Route::group(['prefix' => 'user', 
              'middleware' => ['auth', 'acl'],
              'is' => 'administrator'], 
function () {
    Route::resource('user', 'UsersController');
});

Or check if user has an administrator role and has permissions create.user, delete.user

Route::group(['prefix' => 'user', 
              'middleware' => ['auth', 'acl'],
              'is' => 'administrator',
              'can' => 'create.user, delete.user'], 
function () {
    Route::resource('user', 'UsersController');
});

Or protect crud methods by user permission alias.

Route::group(['prefix' => 'user', 
              'middleware' => ['auth', 'acl'],
              'is' => 'administrator',
              'can' => 'do.something',
              'protect_alias' => 'user'], 
function () {
    Route::resource('user', 'UsersController');
});

Protect route

Protecting a single route is as easy as setting a group route. Simply use the same permission params.

Route::get('/dashboard', [
    'uses'        => 'DashboardController@index',
    'middleware'   => ['auth', 'acl'],
    'is'           => 'administrator',
    'can'          => 'view.dashboard']);

Or protect crud methods by dashboard alias.

Route::get('/dashboard', [
    'uses'          => 'DashboardController@index',
    'middleware'    => ['auth', 'acl'],
    'is'            => 'administrator',
    'protect_alias' => 'dashboard']);
Add a custom footer
Clone this wiki locally