Laravel Question posted in
The official Laravel Documentation can be found here.

Other methods on how to hide or disable parts of the webpage in Laravel Livewire without proper permissions?

I wondering if Laravel has some kind of functionality where i can hide or disable parts of my webpage if the user doesn’t have any kind permission. For example:
I have a navigation button named "Feedback"

<a class="btn btn-secondary" href="/feedback">Feedback</a>

now we have a user admin and manager, admin can see or click the button but not the manager. I also thought of just using if else but just wondering if there are ways to do this efficiently.

Tags:

2

Answers


  1. 0

    Sure, you can use the @can directive.

    @can('see', AppModelsFeedback::class)
    <a class="btn btn-secondary" href="/feedback">Feedback</a>
@endcan

    Then you would ideally have a policy for the Feedback model:

    FeedbackPolicy.php

    public function see(Authenticatable $user): bool {
  return $user->type === UserType::ADMIN;
}
    Login or Signup to reply.
  2. 0

    I don’t have enough reputation to comment on Luca’s solution suggestions so that’s why I’m writing another as his suggestion is not secure.

    Policies

    In Laravel you have policies. Policies are a class that allows you to define logic that is used to determine if a user is allowed to do something, such as view a post. The documentation has some really clear examples of how to write policies to handle this logic: Writing Policies

    Laravel conveniently also includes some ways of using this logic when designing a page. What it does is allow you to choose what is displayed on the page depending on the policies you’ve created.

    You can do this by placing some parts of the view inside a pair that look like this @can and @endcan, these are called Blade Directives. Here’s some documentation on the Blade Directives that are available for authentication logic: Blade Components Policies

    Why we need to do more

    Creating a policy and hiding something in a view doesn’t actually do anything for your security.

    It improves UX as you don’t want to show items that aren’t applicable to the current user, but that’s all it does.

    If you used this to not render some confidential data by only hiding it in the View it’s problematic because with Livewire you’ve already sent this data to the user. They can find it within 30 seconds by opening up the Chrome Dev Tools tab and just view the network tab which would reveal this data.

    In your example if a user just typed in website.com/feedback they’d still be able to get to the page and see it.

    If we’re using Livewire to perform any logic in the component it’s self and not the view we need to write something in there.

    We can do that by using the authorize function that comes with the component class. This is because when you create a component it extends the base livewire component class that which enables you to do things like $this->dispatch.

    This is an example from the Livewire documentation of authorising that a user has the rights to perform an action.

    public function delete($id)
{
    $post = Post::find($id);
 
    $this->authorize('delete', $post); 
 
    $post->delete();
}

    I would recommend reading through this part of the Livewire documentation as getting this wrong could be costly for you and any of your users.
    Security | Livewire

    Now, the original question raised was a menu item that was using the Anchor HTML Tag.

    If you also want to prevent the user from visiting the page then the easiest way to do this is define a middleware for the route you want to protect:

    Route::put('/post/{post}', function (Post $post) {
    // The current user may update the post...
})->middleware('can:update,post');

    The example above is not using anything not included in the framework by default other than the Post model. You can find that exact example in the documentation that goes more in depth: Authorization via Middleware

    If you combine hiding the menu item and registering a Middleware on the route that is enough for this specific scenario, but digest the Security documentation for Livewire & Laravel if you intend to implement more logic based on authentication and permissions.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search