Support the ongoing development of Laravel.io →
alenn-m
posted 10 years ago
Authentication Security Validation
Last updated 2 years ago.
0
garbee
replied 10 years ago

Whoops. I re-read the post and my brain completely mis-interpreted what was wanted.

Can you show us the associated code? afaik when you redirect it will go through the auth filter just the same. A Redirect sends a 302 (or 303) to the browser with the new URL, so it will still go through the router and filter layers as normal with the newly authed user.

Last updated 2 years ago.
0
alenn-m
replied 10 years ago

This is login part:

if(Auth::attempt(["username" => Input::get("username"), "password" => Input::get("password")])){
			if(Auth::user()->activated)
				return Redirect::intended('main');
			else{
				Auth::logout();
				return Redirect::back()->with("message", "Your account is not activated!");
			}
		}else{
			return Redirect::back()->with("message", "Invalid credentials. Please try again!");
		}

These are my routes:

Route::when('admin/*', 'admin');

Route::group(["before" => "auth"], function(){
	Route::get("/admin/", ["uses" => "AdminController@overview"]);
	Route::get("/admin/overview", ["uses" => "AdminController@overview"]);
	Route::get("/admin/users/all", ["uses" => "AdminController@usersAll"]);
	Route::get("/admin/users/banned", ["uses" => "AdminController@usersBanned"]);
	Route::get("/admin/users/{id}/edit", ["uses" => "AdminController@getEditUser"]);
	Route::get("/admin/user/add", ["uses" => "AdminController@getNewUser"]);
	Route::get("/admin/posts/all", ["uses" => "AdminController@getPosts"]);
	Route::get("/admin/posts/drafts", ["uses" => "AdminController@getDrafts"]);
	Route::get("/admin/posts/add", ["uses" => "AdminController@getPostNew"]);
	Route::get("/admin/posts/edit/{id}", ["uses" => "AdminController@getPostEdit"]);
});

And this is my filter:

Route::filter('admin', function()
{
    if(!Auth::user()->isAdmin()){
        return Redirect::to("/");
    }
});

So when I log in as normal user and then I try to visit protected route then I get redirected properly. But if I try to visit protected routes while I'm not logged in I get redirected to login route as I should, but when I log in as a normal user I still can see protected route which I intended to visit.

Last updated 2 years ago.
0
garbee
replied 10 years ago

Nothing is immediately popping out at me as incorrect with this code. It should work just fine.

The redirector is sending a redirect with a 302 status. So it should run through a whole new request cycle.

Last updated 2 years ago.
0
alenn-m
replied 10 years ago
Solution

I solved it. Instead of protecting admin routes like this:

Route::when('admin/*', 'admin');

I protected them like this:

Route::group(["before" => "auth|admin"], function(){
// routes
Last updated 2 years ago.
0

Sign in to participate in this thread!

Eventy

Your banner here too?

alenn-m alenn-m Joined 5 Mar 2014

Moderators

We'd like to thank these amazing companies for supporting us

Eventy
Fathom
Forge
Envoyer
Beyond Code
Skynet Technologies
BairesDev
Dotcom-monitor
N-iX

Your logo here?

Laravel.io

The Laravel portal for problem solving, knowledge sharing and community building.

Laravel.io

Forum Articles Pastebin

Socials

X Twitter GitHub

The community

Laravel Laravel Laravel News Laravel News
Laracasts Laracasts Laravel Podcast Laravel Podcast
© 2024 Laravel.io - All rights reserved.
Terms of service Privacy policy Advertise