Most effective way of protecting a view in Laravel 4.2?

Question

Edit:

So, it seems the question was a bit confused regarding authentication and password. I'll clarify it.

In my app, any authenticated user may create a team and be its captain . But during that process they're prompted to define a team-password that must be used to EDIT the team's information, such as avatar, e-mail, members, etc.

Therefore, I need to make the edition view accessible ONLY to the captain of that team and IF he has the correct team-password . What I meant about "authenticating" is checking both if that user is the captain and if the team-password is the team's password ( $team->password ) in the database. This has nothing to do with Sentry-authenticated users. Sorry about that.

Hence, I need to protect that team's edition from any other user that may try to access it. Hope it's clear now.

Main Question:

I have a view that is supposed to be seen only by a specific user and only if he enters the correct password (as in a personal info edit page or something like that). Therefore, that view needs to be protected from malicious attacks even though its route is set to GET.

I've tried two ways of doing that but none worked.

1. Set a GET route that shows an authentication page. Set a POST route with the same URL that displays the view after authenticating the user. (DID NOT WORK: couldn't figure out how to redirect users to the POST route again so they don't have to auth everytime they change a piece info.)
2. Authenticating the user through the view. That is, using an @if clause to display the view only if this is the right user. (DID NOT WORK: the password needs to be sent through a form. It's not the user's password, so I can't access it via Auth::User() or Sentry::getUser() inside the view.)

So my question is: is there a simpler way of accomplishing that? What is the most used or best way of doing it? It's my first real app using Laravel so I'm not experienced with these things yet.

Thanks in advance!

Answer 1

i remember your last question but since you didn't give the update, i also couldn't post anything. None the less, you are making it complicated than it is.

Route.php

Route::get('login', 'LoginController@getLogin');
Route::post('login', 'LoginController@postLogin');
Route::group(['before' => 'authentication'], function(){
    Route::get('profile' => 'ProfileController@profile');
    //All protected routes here
});

what i did here is, i create a filter authentication which will be run against all the routes inside the group.

now, let's define the filter.

Route::filter('authentication', function()
{
    if ( ! Sentry::check())
    {
        return Redirect::action('LoginController@getLogin');
    }
});

this is just a simple filter which will check if the user is logged in or not. If the user is not logged in, it will redirect the user to the login route where the form will be served.

Controller:

public function getLogin()
{
    if(Sentry::check())
    {
        return Redirect::action('ProfileController@profile');
    }

    return View::make('login');
}

public function postLogin()
{
    //put the validation rules here and validate. as far as i remember, you know how to do it.

    if($validator->passes())
    {
        try
{
    // Login credentials
    $credentials = array(
        'email'    => 'john.doe@example.com',
        'password' => 'password',
    );

    // Authenticate the user
    $user = Sentry::authenticate($credentials, false);
    return Redirect::action('ProfileController@profile');
}
catch (Cartalyst\Sentry\Users\LoginRequiredException $e)
{
    echo 'Login field is required.';
}
catch (Cartalyst\Sentry\Users\PasswordRequiredException $e)
{
    echo 'Password field is required.';
}
catch (Cartalyst\Sentry\Users\WrongPasswordException $e)
{
    echo 'Wrong password, try again.';
}
catch (Cartalyst\Sentry\Users\UserNotFoundException $e)
{
    echo 'User was not found.';
}
catch (Cartalyst\Sentry\Users\UserNotActivatedException $e)
{
    echo 'User is not activated.';
}

// The following is only required if the throttling is enabled
catch (Cartalyst\Sentry\Throttling\UserSuspendedException $e)
{
    echo 'User is suspended.';
}
catch (Cartalyst\Sentry\Throttling\UserBannedException $e)
{
    echo 'User is banned.';
}




}
    }

in the catch block, take the required action. eg if you want to redirect to the login from with the error, then add the error to the message bag (if you don't know how to, then click here for details) and redirect to the login form.

or, if it is an ajax data, you can return the errors as json and then parse them in client side while showing an error message on ajax failure.

if the user is not logged in, then accessing all those protected routes will evoke a redirect and the user will be redirected to the login form. After successful login, he will be redirected to his profile page. On the other hand, if a logged in user tries to goto the login form, then he will be redirected to the profile page because a logged in user should not see the login form.

update #1

it is easier than you think.

pseudocode.

• 1st check if the user is logged in. if no then redirect him to login page.
• 2nd, if he is logged in, when he goes for the url (the team's password page), check if he is a captain (database call). if no, then redirect him to some other page or show him a 403 forbidden page .
• 3rd, if he is a captain, then show him the form. and set some session so that in subsequent calls, you can check authorization with reference to that token.
• 4th, if authentication is correct, then take him to the editing page. else, take him to step 3, with the error message so that the person knows about making mistake in entering the password.