Laravel 5.3 web.php and api.php: what is proper usage to ensure admin-only access to designated site sections?

I am trying to clean up my Laravel 5.3 route related files (web.php, api.php) in order to ensure certain parts and functions of my site are only accessible by admin user.

I know Laravel 5.3 is a bit dated, but trying to figure out how pros would go about setting up routes to accomplish my goal. The way I have things now seems to work (key word, ‘seems’), but before I upload to production side, I just want a sanity check.

Here are the types of access as well as background functionality I have:

1. Guest – unlogged in users who have access to most of the site, so urls such as mysite.test/somecontent

2. Admin – has admin role as user, and can access the admin panel via mysite.test/adminpanel. While in admin panel, has access to api endpoints, since my admin panel CRUD actions are via my API endpoints. That is endpoint urls like mysite.test/api/somecontent. Angular is used for the CRUD functionality and my main concern is to make sure there are no backdoors via the api that allows non authorized visitors to use the api endpoints to delete data, view data.

3. Logged in – these users have access to their profile, etc, so urls like mysite.test/myprofile

4. Webhooks, Queue actions – These are, for instance webhhoks from Mailchimp, Stripe, Zoom.

I read here to get familiar with routing under Laravel 5.3:

https://laravel.com/docs/5.3/routing

There I see mention of route middleware and searched on github.com for example Laravel 5.3 projects, but in looking at example web.php and api.php files I don’t see the middleware functionality being implemented.

So I tried my best to set up these 2 route related files, and have some questions:

1. Is this generally the correct approach or am I setting my self up for security issues? 2. Do I truly need to specify api related routes in my web.php, or should I only be doing that in api.php?

Here is my web.php (representative lines)

Auth::routes();
/*
|--------------------------------------------------------------------------
| Application Routes
|--------------------------------------------------------------------------
|
| This route group applies the "web" middleware group to every route
| it contains. The "web" middleware group is defined in your HTTP
| kernel and includes session state, CSRF protection, and more.
|
*/

Route::group(['middleware' => 'web'], function () {
// Auth
Route::auth();
Route::get('/register/verify/{token}', 'Auth\[email protected]');

// Main
Route::get('/somecontent', '[email protected]');
Route::post('/somecontent/someaction/{id}', '[email protected]');

// Redirects
Route::get('/home', function () {
return Redirect::to('/');
});

// static pages
Route::get('somepage', function()
{
return View::make('static/somepage');
});

Route::get('/pusher', function() {
event(new AppEventsSomeactionEvent('New Something Posted'));
return "Event has been sent!";
});

});

// Authenticated Users
Route::group(['middleware' => ['web', 'auth']], function () {
// Change Password
Route::get('/password/change', 'Auth\[email protected]howChangePasswordForm');
Route::post('/password/change', 'Auth\[email protected]');

// Profile
Route::get('/myprofile', '[email protected]');

// Buy
Route::get('/mybilling', '[email protected]');

});

// Admin Only
Route::group(['middleware' => ['web', 'auth', 'admin']], function () {
// Admin Panel
Route::get('/adminpanel', '[email protected]');

// API endpoints
Route::resource('api/somecontent', 'ApiSomecontentController');
});

Route::get('/logout', '[email protected]');

// webhooks stuff
Route::post(
'stripewebhook/webhook',
'[email protected]'
);

And here is typical line in the api.php:

use IlluminateHttpResponse;

Route::group(['prefix' => 'api'], function () {
Route::resource('somecontent', 'ApiSomecontentController');
});

Regarding my admin panel angular-based CRUD actions, here is a typical function in the controller:

        $scope.delete = function () {
$scope.busy = true;
$http.delete('/api/somecontent/' + $scope.somecontent.id).then(function (response) {
$scope.busy = false;
$location.path('/somecontent');
}, function (response) {
$scope.busy = false;
$scope.error = 'Unable to delete somecontent...';
});
};

And here is typical entry in the angular routes.js file:

angular.module('adminpanel')
.config(function ($routeProvider, $locationProvider) {
$locationProvider.hashPrefix('');
$routeProvider
.when('/somecontent/delete/:id', {
templateUrl: 'views/adminpanel/somecontent/delete.html',
controller: 'SomecontentDeleteController'
})


// Catch all
.otherwise({
redirectTo: '/'
});
});

Thanks in advance!

from Newest questions tagged laravel-5 – Stack Overflow https://ift.tt/2UTdR1x
via IFTTT

Related Posts

Codeigniter : Parse error: syntax error, unexpected ‘const’ (T_CONST), expecting variable (T_VARIABLE) in Laravel project

I’m getting following error: **Parse error: syntax error, unexpected ‘const’ (T_CONST), expecting variable (T_VARIABLE)** Note : It’s working in local but facing issue in production server. private…

Firebase receive notification while tab is active or on focus

What i want is to be able to perform an action when a user receives a notification while the browser is open and tab is active or…

Laravel’s alias loader does not find class

We have a legacy project that we cannot update and we need to make some changes in symfony’s Response.php in vendor. We have solved this by copying…

Laravel 5 – generic document management

I have a system where you can create different types of unique documents. For instance, one document is called Project Identified and this expects certain inputs. Originally,…

Laravel Nova limit the results in indexQuery

I ran intro a situation where I need to limit the results of a resource to only 3 results. To be more specific, based on the logged…

Auditoria en laravel 5.8 [closed]

Cómo puedo automatizar el registro de actividades de un usuario en laravel? Si un usuario ingresa a un app de laravel, debo guardar toda su actividas, a…

Leave a Reply

Your email address will not be published.