Support the ongoing development of Laravel.io →
alenn-m
posted 10 years ago
Authentication Security Validation
Last updated 1 year ago.
0
garbee
replied 10 years ago

Whoops. I re-read the post and my brain completely mis-interpreted what was wanted.

Can you show us the associated code? afaik when you redirect it will go through the auth filter just the same. A Redirect sends a 302 (or 303) to the browser with the new URL, so it will still go through the router and filter layers as normal with the newly authed user.

Last updated 1 year ago.
0
alenn-m
replied 10 years ago

This is login part:

if(Auth::attempt(["username" => Input::get("username"), "password" => Input::get("password")])){
			if(Auth::user()->activated)
				return Redirect::intended('main');
			else{
				Auth::logout();
				return Redirect::back()->with("message", "Your account is not activated!");
			}
		}else{
			return Redirect::back()->with("message", "Invalid credentials. Please try again!");
		}

These are my routes:

Route::when('admin/*', 'admin');

Route::group(["before" => "auth"], function(){
	Route::get("/admin/", ["uses" => "AdminController@overview"]);
	Route::get("/admin/overview", ["uses" => "AdminController@overview"]);
	Route::get("/admin/users/all", ["uses" => "AdminController@usersAll"]);
	Route::get("/admin/users/banned", ["uses" => "AdminController@usersBanned"]);
	Route::get("/admin/users/{id}/edit", ["uses" => "AdminController@getEditUser"]);
	Route::get("/admin/user/add", ["uses" => "AdminController@getNewUser"]);
	Route::get("/admin/posts/all", ["uses" => "AdminController@getPosts"]);
	Route::get("/admin/posts/drafts", ["uses" => "AdminController@getDrafts"]);
	Route::get("/admin/posts/add", ["uses" => "AdminController@getPostNew"]);
	Route::get("/admin/posts/edit/{id}", ["uses" => "AdminController@getPostEdit"]);
});

And this is my filter:

Route::filter('admin', function()
{
    if(!Auth::user()->isAdmin()){
        return Redirect::to("/");
    }
});

So when I log in as normal user and then I try to visit protected route then I get redirected properly. But if I try to visit protected routes while I'm not logged in I get redirected to login route as I should, but when I log in as a normal user I still can see protected route which I intended to visit.

Last updated 1 year ago.
0
garbee
replied 10 years ago

Nothing is immediately popping out at me as incorrect with this code. It should work just fine.

The redirector is sending a redirect with a 302 status. So it should run through a whole new request cycle.

Last updated 1 year ago.
0
alenn-m
replied 10 years ago
Solution

I solved it. Instead of protecting admin routes like this:

Route::when('admin/*', 'admin');

I protected them like this:

Route::group(["before" => "auth|admin"], function(){
// routes
Last updated 1 year ago.
0

Sign in to participate in this thread!

Eventy

Your banner here too?

alenn-m alenn-m Joined 5 Mar 2014

Moderators

We'd like to thank these amazing companies for supporting us

Eventy
Fathom
Forge
Envoyer
Beyond Code
Skynet Technologies
Steadfast Collective
BairesDev
Remotely Works

Your logo here?

Laravel.io

The Laravel portal for problem solving, knowledge sharing and community building.

Laravel.io

Forum Articles Pastebin

Socials

X Twitter GitHub

The community

Laravel Laravel Laravel News Laravel News
Laracasts Laracasts Laravel Podcast Laravel Podcast
© 2024 Laravel.io - All rights reserved.
Terms of service Privacy policy Advertise