search

dwijitsolutions / laraadmin

LaraAdmin is a Open source Laravel Admin Panel / CMS which can be used as Admin Backend, Data Management Tool or CRM boilerplate for Laravel with features like Advanced CRUD Generation, Module Manager, Backups and many more.
http://laraadmin.com
MIT License
1.56k stars 534 forks source link

Module Field is Unique can't create form for other Roles #206

Open elektragroup opened 7 years ago

elektragroup commented 7 years ago

Hi Laraadmin Team,

Module Field is Unique can't insert data and update data for other Roles ( Except SUPER_ADMIN) I gave full permission to new role but can't insert. capture

error! This value exists in database

elektragroup commented 7 years ago

Hi Team. Please look in to this.

mattrabe commented 7 years ago

Someone really needs to fix this... I found the culprit....

A 403 is being thrown at /vendor/dwij/laraadmin/src/routes.php:11 which is causing this. Here is that line:

'middleware' => ['web', 'auth', 'permission:ADMIN_PANEL', 'role:SUPER_ADMIN']

The culprit is the 'role:SUPER_ADMIN' part - which means that anything in this route group will be blocked if the current auth user does not have the SUPER_ADMIN role. I, like you, was trying to save a record while logged in as a non-SUPER_ADMIN role user (but one with very high permissions).

I was able to get around this problem by removing that portion:

'middleware' => ['web', 'auth', 'permission:ADMIN_PANEL']

It seems a potential security concern, but then again we are still blocking by permission:ADMIN_PANEL, so as long as the security on that rule is tight I don't foresee a security hole.

Unfortunately, adding this to my own routes file at /app/Http/routes.php was ineffective, so the only place I know to make this change is in the vendor file, which sucks...

mattrabe commented 7 years ago

You could use my fork+branch for the time being to get this into your codebase. I have forked the 1.0.40 release and added this change: https://github.com/mattrabe/laraadmin/tree/1-0-40

"require": { "dwij/laraadmin": "dev-1-0-40", }, "repositories": [ { "type": "vcs", "url": "https://github.com/mattrabe/laraadmin" } ],

ansonhwa92 commented 6 years ago

For the laraadmin error (This value exists in database.) yet if you found out it is not in the database, only the first account which is with permission:ADMIN_PANEL or role:SUPER_ADMIN manage to insert the records, it is actually 403 Forbidden is thrown.

How to fix it?

  1. Just add the following lines to /vendor/dwij/laraadmin/src/routes.php.

    
Route::group([
'namespace'  => 'Dwij\Laraadmin\Controllers',
'as' => "",
'middleware' => ['web', 'auth']
], function () {

/* ================== Modules ================== */
Route::post(config('laraadmin.adminRoute') . '/check_unique_val/{field_id}', 'FieldController@check_unique_val');

});


2. modify your .gitignore to enable the tracking in git for selected files vendors folder. Like my case, I have added these lines to track the changes.

!vendor/ /vendor/ !/vendor/dwij/ /vendor/dwij/ !/vendor/dwij/laraadmin/ /vendor/dwij/laraadmin/ !/vendor/dwij/laraadmin/src /vendor/dwij/laraadmin/src/ !/vendor/dwij/laraadmin/src/LAFormMaker.php !/vendor/dwij/laraadmin/src/routes.php

Muhammadinaam commented 3 years ago

Hi, this is a nice package but I think that the developers have stopped working on it. Maybe you can try this package: https://github.com/Muhammadinaam/speed-admin. It supports Laravel 8+.