samedi 28 août 2021

Laravel 5.3 web.php and api.php: what is proper usage to ensure admin-only access to designated site sections?

I am trying to clean up my Laravel 5.3 route related files (web.php, api.php) in order to ensure certain parts and functions of my site are only accessible by admin user.

I know Laravel 5.3 is a bit dated, but trying to figure out how pros would go about setting up routes to accomplish my goal. The way I have things now seems to work (key word, 'seems'), but before I upload to production side, I just want a sanity check.

Here are the types of access as well as background functionality I have:

1. Guest - unlogged in users who have access to most of the site, so urls such as mysite.test/somecontent

2. Admin - has admin role as user, and can access the admin panel via mysite.test/adminpanel. While in admin panel, has access to api endpoints, since my admin panel CRUD actions are via my API endpoints. That is endpoint urls like mysite.test/api/somecontent. Angular is used for the CRUD functionality and my main concern is to make sure there are no backdoors via the api that allows non authorized visitors to use the api endpoints to delete data, view data.

3. Logged in - these users have access to their profile, etc, so urls like mysite.test/myprofile

4. Webhooks, Queue actions - These are, for instance webhhoks from Mailchimp, Stripe, Zoom.

I read here to get familiar with routing under Laravel 5.3:

https://laravel.com/docs/5.3/routing

There I see mention of route middleware and searched on github.com for example Laravel 5.3 projects, but in looking at example web.php and api.php files I don't see the middleware functionality being implemented.

So I tried my best to set up these 2 route related files, and have some questions:

1. Is this generally the correct approach or am I setting my self up for security issues? 2. Do I truly need to specify api related routes in my web.php, or should I only be doing that in api.php?

Here is my web.php (representative lines)

Auth::routes();
/*
|--------------------------------------------------------------------------
| Application Routes
|--------------------------------------------------------------------------
|
| This route group applies the "web" middleware group to every route
| it contains. The "web" middleware group is defined in your HTTP
| kernel and includes session state, CSRF protection, and more.
|
*/

Route::group(['middleware' => 'web'], function () {
    // Auth
    Route::auth();
    Route::get('/register/verify/{token}', 'Auth\\RegisterController@verifyEmail');
    
    // Main
    Route::get('/somecontent', 'SomeController@index');
    Route::post('/somecontent/someaction/{id}', 'SomeController@someaction');

    // Redirects
    Route::get('/home', function () {
        return Redirect::to('/');
    });

    // static pages
    Route::get('somepage', function()
    {
        return View::make('static/somepage');
    });

    Route::get('/pusher', function() {
        event(new App\Events\SomeactionEvent('New Something Posted'));
        return "Event has been sent!";
    });

});

// Authenticated Users
Route::group(['middleware' => ['web', 'auth']], function () {
    // Change Password
    Route::get('/password/change', 'Auth\\PasswordController@showChangePasswordForm');
    Route::post('/password/change', 'Auth\\PasswordController@changePassword');

    // Profile
    Route::get('/myprofile', 'ProfileController@index');

    // Buy
    Route::get('/mybilling', 'BillingController@index');

});

// Admin Only
Route::group(['middleware' => ['web', 'auth', 'admin']], function () {
    // Admin Panel
    Route::get('/adminpanel', 'AdminpanelController@index');

    // API endpoints
    Route::resource('api/somecontent', 'Api\SomecontentController');
});

Route::get('/logout', 'Auth\LoginController@logout');

// webhooks stuff
Route::post(
    'stripewebhook/webhook',
    'StripeWebhookController@handleWebhook'
);

And here is typical line in the api.php:

use Illuminate\Http\Response;

    Route::group(['prefix' => 'api'], function () {
        Route::resource('somecontent', 'Api\SomecontentController');
    });

Regarding my admin panel angular-based CRUD actions, here is a typical function in the controller:

        $scope.delete = function () {
            $scope.busy = true;
            $http.delete('/api/somecontent/' + $scope.somecontent.id).then(function (response) {
                $scope.busy = false;
                $location.path('/somecontent');
            }, function (response) {
                $scope.busy = false;
                $scope.error = 'Unable to delete somecontent...';
            });
        };

And here is typical entry in the angular routes.js file:

angular.module('adminpanel')
.config(function ($routeProvider, $locationProvider) {
    $locationProvider.hashPrefix('');
    $routeProvider
        .when('/somecontent/delete/:id', {
            templateUrl: 'views/adminpanel/somecontent/delete.html',
            controller: 'SomecontentDeleteController'
        })


        // Catch all
        .otherwise({
            redirectTo: '/'
        });
});

Thanks in advance!



from Newest questions tagged laravel-5 - Stack Overflow https://ift.tt/2UTdR1x
via IFTTT

Aucun commentaire:

Enregistrer un commentaire