Laravel 5.0 multiauth

Question

I have an application which has two parts back-end, and front-end. In the back-end admin can log in, and in the front-end the client can log in. Now it has been implemented. All application's query is done by logged in user id in both admin and client end.

Now my app needs a functionality where admin can view client data as same as client see their profile.There are a lot of things in client end. I can you use Auth::loginUsingId($client_id) . Here client profile is showing perfectly but admin loggin session is lost as expected.

How to achieve this while admin login remain and admin can see client full data?

Answer 1

Let me introduce the simpliest way to have login as client functionality. First, define asuser and returnback routes.

Routes and actions

Route::get('/asuser/{user}', 'AdminController@asuser')
        ->where('user', '[0-9]+')
        ->name('asuser');
Route::get('/returnback', 'ClientController@returnback')
        ->name('returnback');

In admin's controller:

public function asuser(User $client, Request $request) {
    /* insert checking if user has right either here with some field 
     * like $user->is_admin or using middleware settings and Policy
     */
    # who user is
    $fromId = Auth::user()->getId();

    # logging as a client
    Auth::login($client, true);

    # but keeping admin in a session
    $request->session()->put('adm_id', $fromId);

    return redirect()->route('some-client-route')
                    ->with('status', 'You are logged in as a client');
}

And for returning back ClientController

public function returnback(Request $request) {
    $fromId = Auth::user()->getId();

    # getting admin id
    $admId = $request->session()->pull('adm_id');
    $adminUser = User::find($admId);

    if (!$adminUser) {
        return redirect()->back()
                        ->with('status', 'Not allowed');
    }

    # logging out as a client and logging in as admin
    Auth::logout();
    Auth::login($adminUser, true);

    return redirect()->route('some-admin-route')
                    ->with('status', 'Welcome back!');
}

Is it ready for production

No, it's not. That's not a great solution, it's just a glimpse how to use it. Sessions have lifetime, so if admin doesn't return back in its lifetime, session variables are lost and he becomes a client (if remember me =true, as in the code above). You can store value not in a session but in a database column.

In addition as t1gor mentioned, you must pay attention to the fact that you can't log client's actions and send events when admin is a client. That's the most serious problem of logging as a client. Anyway, I suppose, it is easier to solve that, than to move all the auth logic out of the views.

Well, hope it is helpful.

Answer 2

我认为管理客户端/用户配置文件的一个好方法是在后端实现用户管理部分，在那里显示和编辑用户及其配置文件。

Answer 3

Laravel does not provide mixed sessions. You can only be authenticated as one user at a time. If you really need this kind functionality in Laravel 5.0 you could solve this by hackish user ping-pong (eg login temporarily as client and switching back to admin right after).

But it seems like your problem is more Authorization -related (in contrast to Authentication ). Laravel implemented an authorization layer in v5.1.11. Since v5.0 is not supported anymore you should update regardless of this feature.

You can find more information about authorization in the official documentation: https://laravel.com/docs/5.1/authorization

Answer 4

I would rather suggest you separate the view logic eg business logic into some common layer rather then doing a "login-as-client" functionality. Even though it looks like a short-cut, you'll have a whole lot of things to think about.

For instance, how do you log application events now? Add a check everwhere that the session has a adm_id and log it instead of userId ? This is just one example.

What I would have done:

1. Separate the view (eg user profiles, user content, etc.) from the session so that it is accessed by the ID in the URL or whatever else method, not by currently logged in user id.

2. Implement a propper role-based ACL . There are plenty of packages already. In your example, you wouold have an admin role and a client role, both havin permission object view-client-profile , for instance.

In the end, this might take a lot more time for development, but would defenitely save you some time debugging/troubleshooting with the angry client on the phone. Hope that helps.

Answer 5

I think middleware is the best possible option to filter the content between the admin and the normal user,because the code in the middleware run before any function call.

You just only need to set the usertype in the session and filter accordingly.

Visit: https://laravel.com/docs/5.4/middleware