search

serenysoft / nova-permissions

Laravel Nova 4 Roles & Permissions
72 stars 25 forks source link

[SOLVED] viewAnyUser / updateUser Problem #27

Closed beshoo closed 1 year ago

beshoo commented 1 year ago

Hi Dev,

I would like to describe a problem related to user access control. We have two user roles: admin and staff. Admin can see all users, while staff can only see their own record using the following code:

 public static function indexQuery(NovaRequest $request, $query): \Illuminate\Database\Eloquent\Builder
    {
        $user = $request->user();
        if ($user) {
            if ($user->isSuperAdmin()) {
                // User is a super-admin, return the full query
                return $query;
            } else {
                // User is not a super-admin, return only their own record

                return $query->where('id', $user->id);
            }
        } else {
            return $query;
        }
    }

But we need to give the user "staff" : viewAnyUser in order to see User resource, and limit that to his user_id

The problem is that if a staff user opens their profile and edits the URL with another user's ID, they can see and update that user's information. If we deny the viewAnyUser permission, the staff user cannot see the User resource at all.

How can we secure the panel?

leandrogehlen commented 1 year ago

It's a little confusing. You can customize the policy as you see fit.

The authorization is managed by Nova - Authorization The nova-permissions package does not handle this behavior

viewAnyUser does not allow update or view user.

beshoo commented 1 year ago

If you disabled viewAnyUser form user, he can not open the "http://127.0.0.1:8000/dashboard/resources/users" but if you turn it on , user can see "http://127.0.0.1:8000/dashboard/resources/users"

The problem is that if a user opens his profile EDIT Mode "http://127.0.0.1:8000/dashboard/resources/users/2/edit" and edits the URL with another user's ID e.g "http://127.0.0.1:8000/dashboard/resources/users/1/edit"

Then he can see and update that user's information.

If we deny the viewAnyUser permission from the policy, the user cannot see the User resource at all 'http://127.0.0.1:8000/dashboard/resources/users' I got a 403 error.

leandrogehlen commented 1 year ago

but staff role has permission to view/edit user? I believe that problem is that you don't understand the policy concept.

you need something like:


class UserPolicy extends BasePolicy {

    public function update(Model $user, $model)
    {
         return $user->hasRole('staff') 
              ? $model->id === $user->id
              : parent::update($user, $model);
    }

    public function view(Model $user, $model)
    {
         return $user->hasRole('staff') 
              ? $model->id === $user->id
              : parent::view($user, $model);
    }
}
leandrogehlen commented 1 year ago

The problem is that if a user opens his profile EDIT Mode "http://127.0.0.1:8000/dashboard/resources/users/2/edit" and edits the URL with another user's ID e.g "http://127.0.0.1:8000/dashboard/resources/users/1/edit"

This is happening because Staff role has permission to edit an user. You need to remove update permission from Staff role

beshoo commented 1 year ago

But how staff may editing there own data. Like password?

On Wed, Jul 5, 2023, 7:57 PM Leandro Gehlen @.***> wrote:

The problem is that if a user opens his profile EDIT Mode " http://127.0.0.1:8000/dashboard/resources/users/2/edit" and edits the URL with another user's ID e.g " http://127.0.0.1:8000/dashboard/resources/users/1/edit"

This is happening because Staff role has permission to edit user. You need remove update permission from Staff role

— Reply to this email directly, view it on GitHub https://github.com/serenysoft/nova-permissions/issues/27#issuecomment-1622144108, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABDLT23GGDXBERYD54J4PS3XOWMGLANCNFSM6AAAAAAZ655RDM . You are receiving this because you authored the thread.Message ID: @.***>

leandrogehlen commented 1 year ago

Using the code bellow will work fine.

You need to study more about laravel polices

class UserPolicy extends BasePolicy {

    public function update(Model $user, $model)
    {
         return $user->hasRole('staff') 
              ? $model->id === $user->id
              : parent::update($user, $model);
    }

    public function view(Model $user, $model)
    {
         return $user->hasRole('staff') 
              ? $model->id === $user->id
              : parent::view($user, $model);
    }
}
beshoo commented 1 year ago

Well, am using the police that provided with the documents, i thought it has to work out of the box!

Thank you for your response, i will test it out and let you know.

On Wed, Jul 5, 2023, 8:08 PM Leandro Gehlen @.***> wrote:

Using the code bellow will work fine.

You need to study more larave polices

class UserPolicy extends BasePolicy {

public function update(Model $user, $model)
{
     return $user->hasRole('staff')
          ? $model->id === $user->id
          : parent::update($user, $model);
}

public function view(Model $user, $model)
{
     return $user->hasRole('staff')
          ? $model->id === $user->id
          : parent::view($user, $model);
}

}

— Reply to this email directly, view it on GitHub https://github.com/serenysoft/nova-permissions/issues/27#issuecomment-1622162368, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABDLT2Z2NP3J3D5MHSDGLDDXOWNR5ANCNFSM6AAAAAAZ655RDM . You are receiving this because you authored the thread.Message ID: @.***>

beshoo commented 1 year ago

@leandrogehlen, thank you so much for the information – it works just fine!

For anyone else who is experiencing this issue, I highly recommend using nova-permissions as a tool for securing your users in Nova. Just make sure to set up the policy correctly.