Coding

Laravel Tutorial – ACL (User Roles) – #3 Middleware

  • 00:00:00 welcome back and the last part we set up
  • 00:00:03 our database we created two roles the
  • 00:00:06 users there and our first while
  • 00:00:08 connections or we assign the first roles
  • 00:00:10 now it's time to do the remaining work
  • 00:00:14 to create the actual middleware which
  • 00:00:17 protects our route I start in the user
  • 00:00:20 model here where I will define two new
  • 00:00:25 methods and this is one of the rare
  • 00:00:29 times see what you say where we actually
  • 00:00:32 define more than just well the
  • 00:00:35 relationships in the user model but here
  • 00:00:38 I really need these extra methods first
  • 00:00:40 method I will need is a public function
  • 00:00:43 which says or which is called has any
  • 00:00:46 role and with this method I want to have
  • 00:00:51 a way to check if a user later in the
  • 00:00:56 middle where the authenticated user has
  • 00:00:58 a certain role and I need this method
  • 00:01:01 once you find out if he has this role
  • 00:01:03 and to be able to determine if the user
  • 00:01:06 should be granted access to a certain
  • 00:01:07 resource or not I will pass an argument
  • 00:01:12 called roles which will contain the
  • 00:01:16 roles I want to check for so this will
  • 00:01:19 work in a way that and when we're in the
  • 00:01:21 middle where and we know that a certain
  • 00:01:23 route is only accessible by let's say
  • 00:01:25 roles admin and offer what pass admin
  • 00:01:28 had offered to this function and check
  • 00:01:31 if the user has one of the two roles and
  • 00:01:34 only if he has one of those roles he's
  • 00:01:36 allowed to access this resource in this
  • 00:01:41 function here I will first check if
  • 00:01:44 roles is an actual array because we are
  • 00:01:47 also allowed to pass a single role
  • 00:01:51 instead of an array of roles like the
  • 00:01:53 convenience here you could of course
  • 00:01:55 also pass a single role in an array but
  • 00:01:58 we were provided with convenience here
  • 00:02:00 so if we're in an array of roles then I
  • 00:02:04 want to loop through this array through
  • 00:02:08 all the roles in this area with a no-no
  • 00:02:10 for each loop and I will check if
  • 00:02:14 this current user this of course refers
  • 00:02:18 to the currently locked in user or on
  • 00:02:22 whatever user object or calling this has
  • 00:02:25 any role later if this user has a role
  • 00:02:29 this function doesn't exist yet I'm
  • 00:02:31 going to create it in a minute if he has
  • 00:02:34 this role the roles role if he has this
  • 00:02:39 role I will return true because then I
  • 00:02:45 want you to tell well return both the
  • 00:02:48 method then the user actually has this
  • 00:02:51 role which is exactly the check I'm
  • 00:02:53 running here and if I'm check him if he
  • 00:02:56 has any of these roles I don't need to
  • 00:02:58 continue in this loop because I know
  • 00:03:00 yeah he has any of the roles I he needs
  • 00:03:03 to access this resource so we may just
  • 00:03:05 finish it as matter if he has all the
  • 00:03:07 roles
  • 00:03:08 this is the one part of this function
  • 00:03:11 the other is well just if we're not
  • 00:03:13 getting an array of floats but a single
  • 00:03:16 role well then of course the only thing
  • 00:03:18 we do is basically we repeat this but
  • 00:03:23 here we have roles because in though
  • 00:03:25 it's called roles it's only one role as
  • 00:03:27 we're not having an array so then we
  • 00:03:30 would also return true in all other
  • 00:03:32 cases though we would return false
  • 00:03:35 because user does not have the role or
  • 00:03:38 any of the roles we're checking this
  • 00:03:41 leads to the second function the has
  • 00:03:44 role function which we're calling here
  • 00:03:50 and here this has no function well well
  • 00:03:56 check if user has a specific role and I
  • 00:04:00 do this by running or checking if this
  • 00:04:04 the user roles which is the relation to
  • 00:04:07 all the roles again using parentheses to
  • 00:04:10 stay in the query bowler so to say to
  • 00:04:13 say ok I'm going to add some arguments
  • 00:04:16 to this database call I'm making Europe
  • 00:04:18 I want and here where well the name of
  • 00:04:22 the role is role
  • 00:04:27 and then the first element now what this
  • 00:04:30 does is it accesses the roles of this
  • 00:04:34 user and then sees if in these roles the
  • 00:04:40 user has assigned to it the roller
  • 00:04:44 checking for appears if this is not the
  • 00:04:47 case then the user does not have this
  • 00:04:49 role so here I can return true otherwise
  • 00:04:54 we're returning false so does that we
  • 00:04:57 prepare our user model to be able to
  • 00:05:00 check if the user has a certain role and
  • 00:05:03 with this we're well prepared to write
  • 00:05:06 our actual middleware before I do this I
  • 00:05:10 want to do one other thing in my admin
  • 00:05:12 blade view view here I want to populate
  • 00:05:19 this admin view page so that we can
  • 00:05:25 actually see the check marks here
  • 00:05:27 because we all got all the functionality
  • 00:05:29 we need to show the check marks to do
  • 00:05:32 this I'm going to create an input
  • 00:05:33 element here which is of type checkbox
  • 00:05:36 and if it is checked or not depends on
  • 00:05:41 well the case if this user the current
  • 00:05:44 row we're in has this role or not so
  • 00:05:48 here I'm entering the plate template
  • 00:05:50 expression and I check if the current
  • 00:05:54 user we're looping through all users
  • 00:05:56 here to output them in a table if the
  • 00:05:59 current user has a role in this case
  • 00:06:01 well it's just the usual I'm doing this
  • 00:06:04 hard-coded here of course you could come
  • 00:06:06 up with a dynamic way but this is
  • 00:06:08 already split up over several videos I
  • 00:06:11 didn't want to make this too long and
  • 00:06:13 it's not a core thing to this ACL system
  • 00:06:19 I'm showing so this is how we check if
  • 00:06:22 user has a role that's just a function
  • 00:06:24 we implement it a few minutes ago
  • 00:06:26 and if he has this role well then I'm
  • 00:06:29 going to set check attribute otherwise
  • 00:06:31 I'll not now we'll just copy this for
  • 00:06:37 all three roles
  • 00:06:39 here I have the offer and here I have
  • 00:06:43 the admin and I also want to set a name
  • 00:06:49 attribute here this is needed later
  • 00:06:51 whether actually it change the roles
  • 00:06:53 this will be called role user this input
  • 00:06:57 here this input will be called role
  • 00:07:00 offered and the last input will of
  • 00:07:03 course be called role admin now these
  • 00:07:06 changes in place if I reload this page
  • 00:07:08 you can see the actual role assignments
  • 00:07:12 we have due to our seeding and this
  • 00:07:15 looks looks alright to me offer as the
  • 00:07:17 offer all admin the admin role and or a
  • 00:07:19 normal user the user role so doesn't
  • 00:07:21 works now back to the middle of where
  • 00:07:23 we're going to create a new middleware
  • 00:07:26 and here again we can use our teaching
  • 00:07:28 to help us set up as file but just clone
  • 00:07:31 PHP rotation make : middleware and then
  • 00:07:36 the name of the middleware which I will
  • 00:07:37 coach is called check role now in my
  • 00:07:41 malware folder under App HTTP I have
  • 00:07:46 this check role PHP file which is
  • 00:07:48 conveniently already set up in a way
  • 00:07:51 that we don't have to do that much and
  • 00:07:54 let us have a function I first want to
  • 00:07:59 check if well we actually have a user in
  • 00:08:02 our request so if this is not null so
  • 00:08:06 this means if we're trying to access
  • 00:08:11 this not locked in then we'll always be
  • 00:08:15 well sent back on all the routes where
  • 00:08:18 we are checking for roles because well
  • 00:08:20 no matter which role you theoretically
  • 00:08:22 have if you're not logged in or
  • 00:08:25 certainly in the wrong place so then I
  • 00:08:28 will return our spawns and this will
  • 00:08:30 just be a text response whereas a
  • 00:08:33 insufficient permissions with a record
  • 00:08:40 400 401 unauthorized I have to do this
  • 00:08:45 because if I did not do this I'll try to
  • 00:08:48 access this use
  • 00:08:50 of the requests in the next steps and
  • 00:08:54 the switch throw an error if the user is
  • 00:08:56 not set therefore I will need to check
  • 00:08:58 before I actually do this next thing is
  • 00:09:02 I need to retrieve some actions and I
  • 00:09:06 will come back to this in a second I do
  • 00:09:09 this by accessing my router to router
  • 00:09:12 currently trying to access here when the
  • 00:09:15 smooth wear kicks in and here the get
  • 00:09:18 action method now this is a little bit
  • 00:09:22 difficult to understand I imagine it
  • 00:09:25 will be clearer in a few seconds
  • 00:09:27 basically with get action we can access
  • 00:09:32 these key value pairs we're setting up
  • 00:09:37 in our routes array here all these are
  • 00:09:41 actions of this route and we can define
  • 00:09:44 our own ranch actions and we'll do so
  • 00:09:48 later so these actions were manually
  • 00:09:52 defining them will be the actual roles
  • 00:09:55 which are allowed to access a route and
  • 00:09:57 in a check role middleware I'm basically
  • 00:10:01 retrieving these roles here by getting
  • 00:10:04 the actions however actions is well this
  • 00:10:10 array this is the action variable or
  • 00:10:16 this is what we store in this action
  • 00:10:17 variable later we'll have like roles and
  • 00:10:22 then an array which says offer admin for
  • 00:10:26 example and then we want to retrieve
  • 00:10:28 this roles key in our actions to do this
  • 00:10:32 back in my check role I will add a new
  • 00:10:37 variable which basically first we'll
  • 00:10:40 check if action stars have this roles
  • 00:10:44 key because not all our routes needed
  • 00:10:47 were also having routes which are not
  • 00:10:50 protected which may be accessed by
  • 00:10:52 everyone where we don't use this role
  • 00:10:54 middleware or where we set up this role
  • 00:10:56 middleware but don't you find any roles
  • 00:10:58 so first we check if we actually do have
  • 00:11:02 any role setup
  • 00:11:03 and if this if this is the case well
  • 00:11:06 then all we do is restore them the roles
  • 00:11:08 we set up for this rod are stored in
  • 00:11:10 those roles variable otherwise well the
  • 00:11:13 variables variable will be null
  • 00:11:16 so next step is queue access to user in
  • 00:11:21 the request and that's again it's the
  • 00:11:22 reason where we have to check if the
  • 00:11:23 user is in now before we do this here
  • 00:11:25 and use D has any role method we created
  • 00:11:31 early in this video to check if he has
  • 00:11:34 any of the roles we retrieved here or if
  • 00:11:42 roles is not set if roles is not set
  • 00:11:47 well then also we want to allow the user
  • 00:11:50 to proceed and we do this by calling
  • 00:11:53 return next request the statement that
  • 00:11:57 was at the end of this default handle
  • 00:11:59 method created for us by the artisan
  • 00:12:01 command this basically says everything
  • 00:12:04 is fine you may go on with the next
  • 00:12:06 model or whatever so we're done we're
  • 00:12:08 then checking everything's fine
  • 00:12:10 you may continue you may continue if you
  • 00:12:13 either have one of the roles or if no
  • 00:12:17 roles are set up otherwise your while
  • 00:12:21 trying to access the resource you're not
  • 00:12:23 allowed to and we will one let's just
  • 00:12:26 copy this will return the exact same
  • 00:12:28 response this is how you create the
  • 00:12:31 middleware now the last step in this
  • 00:12:33 video is to register this middleware and
  • 00:12:36 we do this in the kernel PHP file at the
  • 00:12:40 very bottom of this file in the route
  • 00:12:42 middleware area here at the end I will
  • 00:12:46 trade in you middleware and I will just
  • 00:12:48 call it roles to name is up to you and
  • 00:12:49 this will point to app HTTP middleware
  • 00:12:55 and then check role and here it's
  • 00:12:58 important to add this class keyword or
  • 00:13:04 access your property so that we refer
  • 00:13:07 the actual class with this the
  • 00:13:11 middleware is created it is registered
  • 00:13:13 and the net
  • 00:13:15 SAP in the next video will actually
  • 00:13:17 protect some routes with it and do all
  • 00:13:19 the final touches with still get to you
  • 00:13:22 see you there bye