0

I am a total newbie with Laravel and learning it now for a week. I have some basic questions that I can't find an answer to. Next week I will start with developing CRM system and I need some info from experienced developers who could tell me is the approach I am attending to make a good one.

  1. I will need some authentication system, like 4 groups of users (Admin, Basic, Manager, Office) where Manager and Admin will add the Basic users. There will be few view and features and every groups will have defined access to each view and feature. Since few days I am searching for packages, watching the tutorials and learning. I found an interesting package for which I think it could help me with this user-group-permission things.The package is Sentry. Could this help me with my requirements?

  2. What is the case when for example I have a user in group Basic and he deletes for example some comment with the button. On the left side down in the browser the user can see the link to this comment when he hovers the link. For example www.test.com/comments/345/delete where the id is 345. What if user types that with another id, that means he can delete another comment. I found some suggestions on how to solve this, to make it with jQuery and javascript so the link wouldn't be shown and POST would be made with for example with AJAX. But since I am a newbie, I am thinking how much time would this take and is this a good approach at all? Could package Sentry from 1. question help me with the permission on what route each group can access?

Any help or advice would be appreciated.

enigmaticus
  • 548
  • 3
  • 8
  • 26
  • no one responded to your 2nd question so i am leaving a comment. can a user take an action wihch he wasn't supposed to? __Yes he can__. you need to check the permissions in the server side to whether he is authorised or not. Sentry's docs are very explanatory in this so i don't think you will feel any difficulty here. – itachi Oct 30 '14 at 12:56

2 Answers2

2

Sentry does what you want, yes. Here's a question with some answers explaining the permissions part.

The visible link part can be avoided by doing a POST request instead of a GET request.

When you open your form, you add a method attribute.

Form::open(array('url' => 'foo/bar', 'method' => 'post'))

A GET request will put the parameters in the URL, hence the visible ID. Using a POST request will put the parameters in the headers, thus hiding it from the URL.

An example could be deleting a comment. A GET request could look like this:

http://www.example.com/comments/delete/1

And the parameters would be defined in your method signature:

public function getDelete ($id) {
    Comment::find($id)->delete();
}

Where the POST equivalent would be

http://www.example.com/comments/delete

And the parameters would be defined in your Input class, you would get them using the get method

public function postDelete() {
    Comment::find(Input::get('id'))->delete();
}
Community
  • 1
  • 1
Patrick Reck
  • 11,246
  • 11
  • 53
  • 86
  • thank you very much, i already saw the post you linked here. :) could you be more specific with POST and GET, am i missing something since I see the link anyway – enigmaticus Oct 30 '14 at 10:46
  • because I know that it works for example like this: than the link is not show in the bar on the left corner down in the browser, but user can inspect the element. I know i can also manage this with jQuery event, but not sure how you mean this with POST – enigmaticus Oct 30 '14 at 10:47
1

1) The best package to help you with that is Sentry indeed.

2) To make sure an user can delete only his comments you can do something like this (but there are more solutions either you do it with Ajax or not):

public function destroy($id) { 
     $user = Sentry::getUser();
     $comment = Comment::find($id);
     if($comment) {
         if($comment->user_id != $user->id) {
             return Response::back(); // optional message: Permission denied!
         }
         $comment->delete();
         return Response::back(); // optional with message: Deleted!
     }
     return Response::back(); // optional message: Comment not found!
}

You can use Sentry in this case to get the logged in user and check for user id. I think you should let user delete their own comments always but if you need special roles (Admins for example) to be able to delete any comment, or special permission comments.delete (For some Managers) - you can use Sentry as well:

public function destroy($id) { 
     $user = Sentry::getUser();
     $comment = Comment::find($id);
     if($comment) {
         if($comment->user_id != $user->id && !$user->hasRole('Admin') && !$user->hasPermission('comments.delete'))) {
             return Response::back(); // optional message: Permission denied!
         }
         $comment->delete();
         return Response::back(); // optional with message: Deleted!
     }
     return Response::back(); // optional message: Comment not found!
}

A nicer way of making the DELETE thru a Form request check this: Laravel RESTfull deleting

mvpasarel
  • 775
  • 5
  • 13