I wondering if Laravel has some kind of functionality where i can hide or disable parts of my webpage if the user doesn’t have any kind permission. For example:
I have a navigation button named "Feedback"
<a class="btn btn-secondary" href="/feedback">Feedback</a>
now we have a user admin and manager, admin can see or click the button but not the manager. I also thought of just using if else but just wondering if there are ways to do this efficiently.
2
Answers
Sure, you can use the @can directive.
Then you would ideally have a policy for the Feedback model:
FeedbackPolicy.php
I don’t have enough reputation to comment on Luca’s solution suggestions so that’s why I’m writing another as his suggestion is not secure.
Policies
In Laravel you have policies. Policies are a class that allows you to define logic that is used to determine if a user is allowed to do something, such as view a post. The documentation has some really clear examples of how to write policies to handle this logic: Writing Policies
Laravel conveniently also includes some ways of using this logic when designing a page. What it does is allow you to choose what is displayed on the page depending on the policies you’ve created.
You can do this by placing some parts of the view inside a pair that look like this @can and @endcan, these are called Blade Directives. Here’s some documentation on the Blade Directives that are available for authentication logic: Blade Components Policies
Why we need to do more
Creating a policy and hiding something in a view doesn’t actually do anything for your security.
It improves UX as you don’t want to show items that aren’t applicable to the current user, but that’s all it does.
If you used this to not render some confidential data by only hiding it in the View it’s problematic because with Livewire you’ve already sent this data to the user. They can find it within 30 seconds by opening up the Chrome Dev Tools tab and just view the network tab which would reveal this data.
In your example if a user just typed in website.com/feedback they’d still be able to get to the page and see it.
If we’re using Livewire to perform any logic in the component it’s self and not the view we need to write something in there.
We can do that by using the authorize function that comes with the component class. This is because when you create a component it extends the base livewire component class that which enables you to do things like $this->dispatch.
This is an example from the Livewire documentation of authorising that a user has the rights to perform an action.
I would recommend reading through this part of the Livewire documentation as getting this wrong could be costly for you and any of your users.
Security | Livewire
Now, the original question raised was a menu item that was using the Anchor HTML Tag.
If you also want to prevent the user from visiting the page then the easiest way to do this is define a middleware for the route you want to protect:
The example above is not using anything not included in the framework by default other than the Post model. You can find that exact example in the documentation that goes more in depth: Authorization via Middleware
If you combine hiding the menu item and registering a Middleware on the route that is enough for this specific scenario, but digest the Security documentation for Livewire & Laravel if you intend to implement more logic based on authentication and permissions.