Just for completeness, the other options not mentioned are to apply the policies to the route using the 'can' middleware (my preferred approach), or through the authorize method of a custom request class (very useful if you need to reference related models present in request input params).
Thank you so much for on spot video. I used trait because sometimes If I forgot to add authorize method in any controller it would be a security issue, by using trait I don't need to manually apply the authorize to each function.
This should be used in conjuction with UUIDs instead of auto-incrementing integers. Especially useful if you do not want to loosely disclose value like how many users you have in the URL; additionally, having /profile/{uuid} instead of /profile/{id} prevents easily-accessible web scrapping. Possibly, in a highly strange scenario where you cannot additionally protect the ID on the backend(as it is coming from an external system and you cannot validate whether the user is the owner), you could possibly pass the ID to the frontend thru crypt() method. That way it might be impossible to impossible to tamper with. Overall - great video.
Policies is a way better approach if you ask me.. if you want to pass a custom message you can use the auth Response facade using the allow() or deny() method which takes an optional message and code parameter. With that you can pass any message or http code. If you also want admin to be able to override those permissions, you can then use a function called "before", which would become the first function of for that policy.
If post has user_id field, then I'll use something simple in the controller. like abort_if(($post->user_id != auth()->user()->id), 403);
2 года назад
hello Povilas, I had a question. How do you control the relationship tables? For example, if a user has more than one customer, how do you go about authorizing that user?
Hello, is it possible to make a video about guard ? That notion is really weird and I don’t really know how and when I can use it. Thanks for your time to teach us
Hello, nice video. Just a question (new at php/laravel php 8.0 ): Is there a reason why you're not using one line for the if statement instead of three ?? @02:38 if ($task->created_by_id != auth()->id()) abort (403); I use these if there is just one line in the if statement.
For me a mix of those versions is the best, you can just reuse the traits. But you don't really have any relations included in this one. So if a user belongs to the continent Europe which is in table continents and then you have continent_items and to user should only see the items in their contients, there are limits with traits. Therefore you can't just reuse a trait.
Global scope seems interesting, but sometimes when reading code, you don’t know what’s happening, why do you get some result while the request is clear. It’s like observers ! The hidden actions under the hood!
I prefer Global scope. I also so use other method to protect some data ( In other php frameworks). The $id and a kind of a Crypt($id+X) for example are on the url . So whenever a request comes to controller, I check this condition before. Even if this is not the best pratice, some kind of a Midleware is also a solution.
I think it depends with the type of system you are creating. If its a system to be used by different public users then I will go with 404, But if its an organazional system a security message will be better. To avoid a situation where admins have to guess why the error...
Hi Povilas , I have one question, how can one able to replace database id key to a more secure string or number in browser url ? I have checked on the net but found no solution.
Well yeah, after 800+ videos I started repeating myself a bit, but trying to talk about the same topic from another angle. You would be surprised how many people hear it from this angl for the first time, and are thankful for the video.
I think you can make some courses from your already existing youtube videos, just grouping them and ordering and it would do well for many people. Some $5-10 course, as a 'tip' for grouping info for other people, since most of them are really lazy to search.
I'm already kinda doing it, many of my courses are just grouped and re-shot videos that were on RUclips in some form. But also, a lot of people don't watch many of my videos, there are a lot of one timers.
5:54 Definitely not found error - because when user gets error message that he is not authorized, he can still deduce that item with that id exists - he just does not have a privileges to see it and execute actions on it. I would definitely rather give him doubts if the id he wanted to see even exists by showing him the not found error message.
mine is different what should i type in my code because i have no idea.. this is my code public function order() { $order=order::all(); if(Auth::id()) {.... }else{... } } and my web.php is route::get('/order', [AdminController::class, 'order']);
Just for completeness, the other options not mentioned are to apply the policies to the route using the 'can' middleware (my preferred approach), or through the authorize method of a custom request class (very useful if you need to reference related models present in request input params).
i used this one before its very clean and usefull👍
Thank you so much for on spot video. I used trait because sometimes If I forgot to add authorize method in any controller it would be a security issue, by using trait I don't need to manually apply the authorize to each function.
This should be used in conjuction with UUIDs instead of auto-incrementing integers. Especially useful if you do not want to loosely disclose value like how many users you have in the URL; additionally, having /profile/{uuid} instead of /profile/{id} prevents easily-accessible web scrapping.
Possibly, in a highly strange scenario where you cannot additionally protect the ID on the backend(as it is coming from an external system and you cannot validate whether the user is the owner), you could possibly pass the ID to the frontend thru crypt() method. That way it might be impossible to impossible to tamper with. Overall - great video.
If you have a very large table, searching with uuid becomes slow. So you'll need to create an index for that which can take space
Policies is a way better approach if you ask me.. if you want to pass a custom message you can use the auth Response facade using the allow() or deny() method which takes an optional message and code parameter. With that you can pass any message or http code.
If you also want admin to be able to override those permissions, you can then use a function called "before", which would become the first function of for that policy.
Just what I was looking for. Thank you for the great content you provide.
Great tutorial ... agree that Unauthorized is more clear for the end user
You are a life saver! Thank you so much!
Very good video. Now I understand how to use Policy, thanks 👍
Phenomenal! I use permissions and if auth user myself
How would you do this in a livewire component? For example, user could change the id by dev tools from wire:click(edit(1)) to wire:click(edit(2))
I want to add one more cool way that I prefer. Use authorize method in requests: return $this->user()->can('view', $this->task);
The third method is the best in my opinion because it will also secure all other methods like delete and update as well as view
If post has user_id field, then I'll use something simple in the controller. like
abort_if(($post->user_id != auth()->user()->id), 403);
hello Povilas, I had a question. How do you control the relationship tables? For example, if a user has more than one customer, how do you go about authorizing that user?
Hello, is it possible to make a video about guard ? That notion is really weird and I don’t really know how and when I can use it. Thanks for your time to teach us
I don't use guards. They should be used in very rare cases, in most cases you needs gates and policies.
Hi, i think with policies it's more flexible approach, we can specify "actions" to secure, شكرا جزيلا
Hello, nice video. Just a question (new at php/laravel php 8.0 ): Is there a reason why you're not using one line for the if statement instead of three ??
@02:38 if ($task->created_by_id != auth()->id()) abort (403);
I use these if there is just one line in the if statement.
Personal preference and code styling according to PSR
@@LaravelDaily Thanks for the fast response.
Does bootXYZ() static function working in laravel 9, cuz i dont have any reactions on my code:(
For me a mix of those versions is the best, you can just reuse the traits. But you don't really have any relations included in this one. So if a user belongs to the continent Europe which is in table continents and then you have continent_items and to user should only see the items in their contients, there are limits with traits. Therefore you can't just reuse a trait.
Global scope seems interesting, but sometimes when reading code, you don’t know what’s happening, why do you get some result while the request is clear. It’s like observers ! The hidden actions under the hood!
I prefer using the Laravel Policy Method
I prefer Global scope.
I also so use other method to protect some data ( In other php frameworks). The $id and a kind of a Crypt($id+X) for example are on the url . So whenever a request comes to controller, I check this condition before.
Even if this is not the best pratice, some kind of a Midleware is also a solution.
I think it depends with the type of system you are creating. If its a system to be used by different public users then I will go with 404, But if its an organazional system a security message will be better. To avoid a situation where admins have to guess why the error...
Great info! Thanks
Hi Povilas , I have one question, how can one able to replace database id key to a more secure string or number in browser url ? I have checked on the net but found no solution.
Search for uuid
Great content.
for me i use the can method to write my own exception in case of api's
I think you already covered this in your Laravel Roles And Permissions video
Well yeah, after 800+ videos I started repeating myself a bit, but trying to talk about the same topic from another angle. You would be surprised how many people hear it from this angl for the first time, and are thankful for the video.
I think you can make some courses from your already existing youtube videos, just grouping them and ordering and it would do well for many people. Some $5-10 course, as a 'tip' for grouping info for other people, since most of them are really lazy to search.
I'm already kinda doing it, many of my courses are just grouped and re-shot videos that were on RUclips in some form. But also, a lot of people don't watch many of my videos, there are a lot of one timers.
5:54 Definitely not found error - because when user gets error message that he is not authorized, he can still deduce that item with that id exists - he just does not have a privileges to see it and execute actions on it. I would definitely rather give him doubts if the id he wanted to see even exists by showing him the not found error message.
What about id in url. Are we use uuid or any other option?
Yes, you may use UUID if you want to hide the real IDs.
I use gates with request.
4:31 how to pass admins not verify this ?
I always do it by $task = auth()->user()->tasks()->findOrFail($id); but in my opinion it’s not so elegant and I can’t use route model bindings.
mine is different what should i type in my code because i have no idea.. this is my code
public function order()
{
$order=order::all();
if(Auth::id())
{....
}else{...
}
}
and my web.php is
route::get('/order', [AdminController::class, 'order']);
Policies for me