stackoom
  简体   繁体   中英

How to restrict a user to only see their own profile

 原文  2020-01-24 16:29:50       php/ laravel/ laravel-6

Question

I have a view ( resources/view/front/auth/profile.blade.php ) and my route in file web.php is:

Route::get('/profile/{user}','UserController@edit')
    ->name('profile')
    ->middleware('profilecheck');

My problem is that when a user logs in and gets redirected to their own profile page ( http://exmaple.com/profile/2 ), he/she can change the URL to http://exmaple.com/profile/3 and see other users' profile.

I want to use a middleware to check authenticated users id with URL parameter {user} . The $user->id will passed to the {user} , but I have no idea how.

Middleware UserProfile.php :

<?php

namespace App\Http\Middleware;

use App\User;
use Closure;

class UserProfile
{
    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @return mixed
     */
    public function handle($request, Closure $next)
    {
        // $request->user()->id
        // Auth::user()->id

        return $next($request);

    }
}

3 answers

solution1
 7 ACCPTED  2020-01-24 16:38:49

You can protect the route simply by removing the user id from the URL, but getting it through the authentication session instead.

So, your route signature should goes from:

Route::get('/profile/{user}', 'UserController@edit')->name('profile');

To this:

Route::get('/profile', 'UserController@edit')->name('profile');

So, in your controller, instead of getting the user id from the request:

public function edit(Request $request)
{
     $user = User::findOrFail($request->id);
     // ...
}

You could get the logged-in User through the Auth facade:

use Illuminate\Support\Facades\Auth;

public function edit(Request $request)
{
     $user = Auth::user();
     // ...
}

or just the auth() helper:

public function edit(Request $request)
{
     $user = auth()->user();
     // ...
}

This way, you are masking the URL to avoid a malicious user of doing things that he/she shouldn't.

solution2
 0  2020-01-24 17:03:55

You need to do something like this.

Your route

Route::get('/profile', [
    'uses' => 'UserController@profile',
    'middleware' => 'profilecheck'
]);

Your middleware

class CheckUserMiddleware
{    
  public function handle($request, Closure $next)
  {

    if(!auth()->user()) {
        return redirect()->route('login');
    }

    return $next($request);
  }
}

solution3
 0  2020-01-25 05:54:45

// Controller 
 public function index()
    {
        if (Auth::check() && Auth::user()->role->id == 2) {
            return view('author.setting.settings');
        } else {
            Toastr::info('you are not authorized to access', 'Info');
            return redirect()->route('login');
        }
    }

// Route 
Route::group(['as'=>'user.','prefix'=>'user','namespace'=>'Author','middleware'=>['auth','user']], function (){

    Route::get('/setting','SettingsController@index')->name('settings.settings');

});

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Laravel restrict users to only be able to see their own profile Sonata User Bundle - How to restrict users to only be able to edit their own profile? How to make each authenticated user only see their own product Codeigniter Edit only own profile as user How to restrict authenticated users to only access their on profile how can i restrict a user to see only the slideshow and can't download it How do I authorize a user to only see his own data with a Laravel oauth2 API? How to restrict user to Upload only 3 images? How to override a user profile view,, in our own plugin, in elgg How to load only user profile in codeigniter
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM