Closed beshoo closed 1 year ago
It's a little confusing. You can customize the policy as you see fit.
The authorization is managed by Nova - Authorization
The nova-permissions
package does not handle this behavior
viewAnyUser
does not allow update or view user.
If you disabled viewAnyUser form user, he can not open the "http://127.0.0.1:8000/dashboard/resources/users" but if you turn it on , user can see "http://127.0.0.1:8000/dashboard/resources/users"
The problem is that if a user opens his profile EDIT Mode "http://127.0.0.1:8000/dashboard/resources/users/2/edit" and edits the URL with another user's ID e.g "http://127.0.0.1:8000/dashboard/resources/users/1/edit"
Then he can see and update that user's information.
If we deny the viewAnyUser permission from the policy, the user cannot see the User resource at all 'http://127.0.0.1:8000/dashboard/resources/users' I got a 403 error.
but staff
role has permission to view/edit user?
I believe that problem is that you don't understand the policy concept.
you need something like:
class UserPolicy extends BasePolicy {
public function update(Model $user, $model)
{
return $user->hasRole('staff')
? $model->id === $user->id
: parent::update($user, $model);
}
public function view(Model $user, $model)
{
return $user->hasRole('staff')
? $model->id === $user->id
: parent::view($user, $model);
}
}
The problem is that if a user opens his profile EDIT Mode "http://127.0.0.1:8000/dashboard/resources/users/2/edit" and edits the URL with another user's ID e.g "http://127.0.0.1:8000/dashboard/resources/users/1/edit"
This is happening because Staff
role has permission to edit an user.
You need to remove update permission from Staff
role
But how staff may editing there own data. Like password?
On Wed, Jul 5, 2023, 7:57 PM Leandro Gehlen @.***> wrote:
The problem is that if a user opens his profile EDIT Mode " http://127.0.0.1:8000/dashboard/resources/users/2/edit" and edits the URL with another user's ID e.g " http://127.0.0.1:8000/dashboard/resources/users/1/edit"
This is happening because Staff role has permission to edit user. You need remove update permission from Staff role
— Reply to this email directly, view it on GitHub https://github.com/serenysoft/nova-permissions/issues/27#issuecomment-1622144108, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABDLT23GGDXBERYD54J4PS3XOWMGLANCNFSM6AAAAAAZ655RDM . You are receiving this because you authored the thread.Message ID: @.***>
Using the code bellow will work fine.
You need to study more about laravel polices
class UserPolicy extends BasePolicy {
public function update(Model $user, $model)
{
return $user->hasRole('staff')
? $model->id === $user->id
: parent::update($user, $model);
}
public function view(Model $user, $model)
{
return $user->hasRole('staff')
? $model->id === $user->id
: parent::view($user, $model);
}
}
Well, am using the police that provided with the documents, i thought it has to work out of the box!
Thank you for your response, i will test it out and let you know.
On Wed, Jul 5, 2023, 8:08 PM Leandro Gehlen @.***> wrote:
Using the code bellow will work fine.
You need to study more larave polices
class UserPolicy extends BasePolicy {
public function update(Model $user, $model) { return $user->hasRole('staff') ? $model->id === $user->id : parent::update($user, $model); } public function view(Model $user, $model) { return $user->hasRole('staff') ? $model->id === $user->id : parent::view($user, $model); }
}
— Reply to this email directly, view it on GitHub https://github.com/serenysoft/nova-permissions/issues/27#issuecomment-1622162368, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABDLT2Z2NP3J3D5MHSDGLDDXOWNR5ANCNFSM6AAAAAAZ655RDM . You are receiving this because you authored the thread.Message ID: @.***>
@leandrogehlen, thank you so much for the information – it works just fine!
For anyone else who is experiencing this issue, I highly recommend using nova-permissions as a tool for securing your users in Nova. Just make sure to set up the policy correctly.
Hi Dev,
I would like to describe a problem related to user access control. We have two user roles: admin and staff. Admin can see all users, while staff can only see their own record using the following code:
But we need to give the user "staff" : viewAnyUser in order to see User resource, and limit that to his user_id
The problem is that if a staff user opens their profile and edits the URL with another user's ID, they can see and update that user's information. If we deny the viewAnyUser permission, the staff user cannot see the User resource at all.
How can we secure the panel?