search

Laravel-Backpack / community-forum

A workspace to discuss improvement and feature ideas, before they're actually implemented.
28 stars 0 forks source link

unable to use Gates #690

Closed backpack-operations closed 1 year ago

backpack-operations commented 1 year ago

Hello team, I just received this on email:

"Hi, I am unable to use Gates for authorization in laravel backpack. Let me know if we can use Gates with backpack.

Thanks"

tabacitu commented 1 year ago

Hi there,

You should be able to use Gates with Backpack without an issue. Gates are pretty simple, just closures that check for permission and throw an error. So you should totally be able to use them to secure parts of your admin panel. If not, let us know the particular case where you had problems.

Heads-up though. There's also a built-in way to prevent people from doing stuff in your Backpack admin panel - access. Check out the API here. Each default operation already checks for access, so you can easily prevent users from doing stuff by something like:

public function setup() 
{
    // ..
    if ($something) { 
        CRUD::denyAccess('list'); 
    }
}

Personally I find that easier to use than Gates. Hope it helps.

Cheers!

Cresta47 commented 1 year ago

image I have created gate and just returned true but didnot work, its giving me 403

tabacitu commented 1 year ago

Hmmm @Cresta47 I don't use Gates myself, so I'm just spitballing here, but I'm not sure that's how you use Laravel Gates. I've tried the same thing in a tinker session and it's the same result:

CleanShot 2023-10-02 at 10 18 21@2x

To me, this doesn't seem like a Backpack problem, but a "how to use gates" problem. Can't advise much there, as I said, I don't use Gates.

Please note that Backpack does use its own auth guard, so you might need to pass backpack_user() (which returns the logged in use) as a parameter to your calls, just to make sure your Gates are checking agains the right user.

tabacitu commented 1 year ago

Ok so I thought this was interesting, so I investigated it a little bit further. YES, it is a matter of using the correct auth guard.

Solution 1 (punctual)

So you CAN do Gate::forUser(backpack_user())->authorize('something'); and it will work 😉

Solution 2 (general)

Alternatively... and perhaps better in 99% of all use cases, unless you have separate logins for your users and admins... you can go to your config/backpack/base.php and uncomment this last line:


    /*
    |--------------------------------------------------------------------------
    | Authentication
    |--------------------------------------------------------------------------
    */

    // Fully qualified namespace of the User model
    'user_model_fqn' => App\User::class,

    // The classes for the middleware to check if the visitor is an admin
    // Can be a single class or an array of clases
    'middleware_class' => [
        App\Http\Middleware\CheckIfAdmin::class,
        \Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull::class,
        // \Backpack\CRUD\app\Http\Middleware\UseBackpackAuthGuardInsteadOfDefaultAuthGuard::class,
    ],

As the middleware says, that will make the admin pages use the Backpack auth guard, instead of the default guard. So your guard calls can stay simple, like Gate::authorize('something'); 😉

Does this work for you @Cresta47 ? I'm pretty sure it will, so I'm going to close it pre-emptively. But if it doesn't, let us know and we'll reopen.

Cheers!