Support the ongoing development of Laravel.io →
Authentication Security Validation
Last updated 4 months ago.
0

Whoops. I re-read the post and my brain completely mis-interpreted what was wanted.

Can you show us the associated code? afaik when you redirect it will go through the auth filter just the same. A Redirect sends a 302 (or 303) to the browser with the new URL, so it will still go through the router and filter layers as normal with the newly authed user.

Last updated 4 months ago.
0

This is login part:

if(Auth::attempt(["username" => Input::get("username"), "password" => Input::get("password")])){
			if(Auth::user()->activated)
				return Redirect::intended('main');
			else{
				Auth::logout();
				return Redirect::back()->with("message", "Your account is not activated!");
			}
		}else{
			return Redirect::back()->with("message", "Invalid credentials. Please try again!");
		}

These are my routes:

Route::when('admin/*', 'admin');

Route::group(["before" => "auth"], function(){
	Route::get("/admin/", ["uses" => "[email protected]"]);
	Route::get("/admin/overview", ["uses" => "[email protected]"]);
	Route::get("/admin/users/all", ["uses" => "[email protected]"]);
	Route::get("/admin/users/banned", ["uses" => "[email protected]"]);
	Route::get("/admin/users/{id}/edit", ["uses" => "[email protected]"]);
	Route::get("/admin/user/add", ["uses" => "[email protected]"]);
	Route::get("/admin/posts/all", ["uses" => "[email protected]"]);
	Route::get("/admin/posts/drafts", ["uses" => "[email protected]"]);
	Route::get("/admin/posts/add", ["uses" => "[email protected]"]);
	Route::get("/admin/posts/edit/{id}", ["uses" => "[email protected]"]);
});

And this is my filter:

Route::filter('admin', function()
{
    if(!Auth::user()->isAdmin()){
        return Redirect::to("/");
    }
});

So when I log in as normal user and then I try to visit protected route then I get redirected properly. But if I try to visit protected routes while I'm not logged in I get redirected to login route as I should, but when I log in as a normal user I still can see protected route which I intended to visit.

Last updated 4 months ago.
0

Nothing is immediately popping out at me as incorrect with this code. It should work just fine.

The redirector is sending a redirect with a 302 status. So it should run through a whole new request cycle.

Last updated 4 months ago.
0

I solved it. Instead of protecting admin routes like this:

Route::when('admin/*', 'admin');

I protected them like this:

Route::group(["before" => "auth|admin"], function(){
// routes
Last updated 4 months ago.
0

Sign in to participate in this thread!

LoadForge

Your banner here too?

alenn-m alenn-m Joined 5 Mar 2014

Moderators

We'd like to thank these amazing companies for supporting us

Your logo here?

The Laravel portal for problem solving, knowledge sharing and community building.

© 2022 Laravel.io - All rights reserved.