Support the ongoing development of Laravel.io →
leemason
posted 11 years ago
Authentication Security Eloquent

ok so I'm looking to create a system with users and admins, who will be separate.

ideally i don't want to create an admins and a users table, just 1 unified users table.

in the table i will have a columns called admin, which will be true/false.

now i know about query scopes, and i can create scopeAdmin() and scopeUser() functions easily, which will list them by type, and for the admin/user areas i can validate based on the admin column fine.

now this app is going to be open to plugins in the future, i don't want sloppy plugins possibly listing admin users by using User::all();

ideally admins should only ever been accessed if explicitly asked for, so all orm methods should only list users who are not admins, unless the scope ->admin-> as used.

does that make sense?

i have a feeling it can be done with an observer, but that will still fetch the data from the db before i filter it out again, which isn't very efficient.

can i exclude rows by column value on any orm query using eloquent?

or does anyone have a good solution for admin and user setups with laravel.

ps. sentry or packages arent an option, personal goal to develop as much i can as vanilla code is needed.

Last updated 3 years ago.
0
ir0ny1
replied 11 years ago

I just do not understand why this needs to be so complex, why cant u just add a isAdmin field, default it to false, if u want to exclude admins from lists, User::where('isAdmin','!=','true');

Last updated 3 years ago.
0
jarektkaczyk
replied 11 years ago

You can use contexts for this. To cut this short, just check this out http://culttt.com/2014/03/31/multi-tenancy-laravel-4/. Though I don't think this is the best implementation of this concept, still can be useful and point you in the right direction.

Last updated 3 years ago.
0
leemason
replied 11 years ago

thanks jarek,

although its not quite what I'm after, there are a few queues i can take from it.

if it was an app just for me i wouldn't worry about just adding an is_admin db field and using this in every query.

the problem is hopefully the system will be used by plugin developers just like wordpress is, and i want to make it as simple for them as possible, while also making sure a simple thing like listing users excludes admins without the plugin author explicitly stating it from a security point of view.

User::where('isAdmin','!=','true');

would work fine, but i want admins to be listed on a "explicitly requested" basis and not during normal user calls.

thinking about it this way is there a way within the model to always add a where clause to any call to the model?

is there like a build query event or something like that?

Last updated 3 years ago.
0

Sign in to participate in this thread!

PHPverse

Your banner here too?

leemason leemason Joined 4 Feb 2014

Moderators

We'd like to thank these amazing companies for supporting us

PhpStorm NativePHP
Fathom
Forge
Envoyer
Beyond Code
BairesDev
N-iX

Your logo here?

Laravel.io

The Laravel portal for problem solving, knowledge sharing and community building.

Laravel.io

Forum Articles Pastebin

Socials

X (Twitter) Bluesky Bluesky GitHub

The community

Laravel Laravel Laravel News Laravel News
Laracasts Laracasts Laravel Podcast Laravel Podcast
© 2025 Laravel.io - All rights reserved.
Terms of service Privacy policy Advertise