I want to protect the PermissionManager Routes to Users that only can Edit Permissions

[andresrl]

Hi, I made this in: /vendor/backpack/permissionmanager/src/routes/backpack/permissionmanager.php

Route::group([
    'namespace'  => 'Backpack\PermissionManager\app\Http\Controllers',
    'prefix'     => config('backpack.base.route_prefix', 'admin'),
    'middleware' => ['web', backpack_middleware()],
], function () {
    Route::group(['middleware' => ['can:edit permissions']], function () { <---- I added this code
        Route::crud('permission', 'PermissionCrudController');
        Route::crud('role', 'RoleCrudController');
        Route::crud('user', 'UserCrudController');
    }); <---- I added this code
});

It works!

But I know is not a good idea to do it like this, touching the vendor folder

How can I handle this situation?

Also I've tried to put that code inside the routes of Backpack (custom.php), with no results

[welcome[bot]]

Hello there! Thanks for opening your first issue on this repo!

Just a heads-up: Here at Backpack we use Github Issues only for tracking bugs. Talk about new features is also acceptable. This helps a lot in keeping our focus on improving Backpack. If you issue is not a bug/feature, please help us out by closing the issue yourself and posting in the appropriate medium (see below). If you're not sure where it fits, it's ok, a community member will probably reply to help you with that.

Backpack communication mediums:

• Bug Reports, Feature Requests - Github Issues (here);
• Quick help (How do I do X) - Gitter Chatroom;
• Long questions (I have done X and Y and it won't do Z wtf) - Stackoverflow, using the backpack-for-laravel tag;

Please keep in mind Backpack offers no official / paid support. Whatever help you receive here, on Gitter, Slack or Stackoverflow is thanks to our awesome awesome community members, who give up some of their time to help their peers. If you want to join our community, just start pitching in. We take pride in being a welcoming bunch.

Thank you!

-- Justin Case The Backpack Robot

[AbbyJanke]

If you make a file called 'permissionmanager.php' the backpack folder it will overwrite the one contained in the vendor folder.

[pxpm]

In an extensive explanation from what @AbbyJanke said: copy the file inside the vendor where you did the changes to routes/backpack folder in your main application. Backpack will use the file with your changes and ignore the vendor. That way you don't need to change vendor files.

Please note that we use GitHub only for bug reports, so this type of questions are better asked in StackOverflow or in our Gitter channel.

I will let the bot close this one so you get the links for the next time 🙏

Thanks, Pedro

[MikeyBeLike]

This should help:

php artisan vendor:publish --provider="Backpack\PermissionManager\PermissionManagerServiceProvider" --tag="routes"

[andresrl]

All great, I have now a routes/backpack/permissionmanager.php file in wich I could define my routes

BUT

Route::group([
    'namespace'  => 'Backpack\PermissionManager\app\Http\Controllers',
    'prefix'     => config('backpack.base.route_prefix', 'admin'),
    'middleware' => ['web', backpack_middleware()],
], function () {
    Route::group(['middleware' => ['can:edit permissions']], function () {  // <<--  Added this line
        Route::crud('permission', 'PermissionCrudController');
        Route::crud('role', 'RoleCrudController');
    });  // <<--  Added this line
    Route::group(['middleware' => ['can:edit authentication']], function () {  // <<--  Added this line
        Route::crud('user', 'UserCrudController');
    });  // <<--  Added this line
});

Those routes give me a 403 error (Action unauthorized), always, even if I have the right permission.

Please, could you check if this solution works. Otherwise, there will be one that does it.

Thanks!!

[pxpm]

@andresrl can middleware directive uses default laravel authentication guard, I guess you are using backpack as the default guard in config.backpack.base.guard. You can have two scenarios here: 1) change the default guard in config.auth.defaults.guard to be backpack. (make sure your roles and permissios are using the backpack guard in the database). 2) change the config.backpack.base.guard to null so backpack will also use the web guard. (in this case make sure web is the guard in the database for permissions and roles).

Depending on your project needs/configuration one of those could be the best to apply if you want to use the can middleware.

It's similar to the use of @can directive, you can read about it in the ReadME in the section 7.