Just for completeness, the other options not mentioned are to apply the policies to the route using the 'can' middleware (my preferred approach), or through the authorize method of a custom request class (very useful if you need to reference related models present in request input params).
@arashpirhadi1326
2 жыл бұрын
i used this one before its very clean and usefull👍
@piotrnatkaniec961
2 жыл бұрын
This should be used in conjuction with UUIDs instead of auto-incrementing integers. Especially useful if you do not want to loosely disclose value like how many users you have in the URL; additionally, having /profile/{uuid} instead of /profile/{id} prevents easily-accessible web scrapping. Possibly, in a highly strange scenario where you cannot additionally protect the ID on the backend(as it is coming from an external system and you cannot validate whether the user is the owner), you could possibly pass the ID to the frontend thru crypt() method. That way it might be impossible to impossible to tamper with. Overall - great video.
@wildfireDZ
2 жыл бұрын
If you have a very large table, searching with uuid becomes slow. So you'll need to create an index for that which can take space
@orpheusohms
2 жыл бұрын
Policies is a way better approach if you ask me.. if you want to pass a custom message you can use the auth Response facade using the allow() or deny() method which takes an optional message and code parameter. With that you can pass any message or http code. If you also want admin to be able to override those permissions, you can then use a function called "before", which would become the first function of for that policy.
@phil86_
2 жыл бұрын
Great tutorial ... agree that Unauthorized is more clear for the end user
@kotakomputer4045
10 ай бұрын
Very good video. Now I understand how to use Policy, thanks 👍
@sanjeewa247
2 жыл бұрын
Just what I was looking for. Thank you for the great content you provide.
@HadayatNiazi-xp1fz
Жыл бұрын
Thank you so much for on spot video. I used trait because sometimes If I forgot to add authorize method in any controller it would be a security issue, by using trait I don't need to manually apply the authorize to each function.
@acemadebeats
Жыл бұрын
You are a life saver! Thank you so much!
@smith4591
2 жыл бұрын
If post has user_id field, then I'll use something simple in the controller. like abort_if(($post->user_id != auth()->user()->id), 403);
@FririkurEllefsen
10 ай бұрын
Phenomenal! I use permissions and if auth user myself
@jacquesmatike9289
2 жыл бұрын
Global scope seems interesting, but sometimes when reading code, you don’t know what’s happening, why do you get some result while the request is clear. It’s like observers ! The hidden actions under the hood!
@OfficialEgyWeb
2 жыл бұрын
The third method is the best in my opinion because it will also secure all other methods like delete and update as well as view
@MrAvatarvb
2 жыл бұрын
Hi, i think with policies it's more flexible approach, we can specify "actions" to secure, شكرا جزيلا
@emmanuelsiziba5142
2 жыл бұрын
I think it depends with the type of system you are creating. If its a system to be used by different public users then I will go with 404, But if its an organazional system a security message will be better. To avoid a situation where admins have to guess why the error...
@noplay6360
2 жыл бұрын
For me a mix of those versions is the best, you can just reuse the traits. But you don't really have any relations included in this one. So if a user belongs to the continent Europe which is in table continents and then you have continent_items and to user should only see the items in their contients, there are limits with traits. Therefore you can't just reuse a trait.
@falcon4ik007
2 жыл бұрын
I want to add one more cool way that I prefer. Use authorize method in requests: return $this->user()->can('view', $this->task);
@Arthur-bq5uk
2 жыл бұрын
How would you do this in a livewire component? For example, user could change the id by dev tools from wire:click(edit(1)) to wire:click(edit(2))
@jacquesmatike9289
2 жыл бұрын
Hello, is it possible to make a video about guard ? That notion is really weird and I don’t really know how and when I can use it. Thanks for your time to teach us
@LaravelDaily
2 жыл бұрын
I don't use guards. They should be used in very rare cases, in most cases you needs gates and policies.
2 жыл бұрын
hello Povilas, I had a question. How do you control the relationship tables? For example, if a user has more than one customer, how do you go about authorizing that user?
@Flankymanga
2 жыл бұрын
5:54 Definitely not found error - because when user gets error message that he is not authorized, he can still deduce that item with that id exists - he just does not have a privileges to see it and execute actions on it. I would definitely rather give him doubts if the id he wanted to see even exists by showing him the not found error message.
@nadjinmalade8738
2 жыл бұрын
I prefer Global scope. I also so use other method to protect some data ( In other php frameworks). The $id and a kind of a Crypt($id+X) for example are on the url . So whenever a request comes to controller, I check this condition before. Even if this is not the best pratice, some kind of a Midleware is also a solution.
@GokuSan389
2 жыл бұрын
Hello, nice video. Just a question (new at php/laravel php 8.0 ): Is there a reason why you're not using one line for the if statement instead of three ?? @02:38 if ($task->created_by_id != auth()->id()) abort (403); I use these if there is just one line in the if statement.
@LaravelDaily
2 жыл бұрын
Personal preference and code styling according to PSR
@GokuSan389
2 жыл бұрын
@@LaravelDaily Thanks for the fast response.
@emekatimothyiloba699
2 жыл бұрын
I prefer using the Laravel Policy Method
@richardalain2988
2 жыл бұрын
Great info! Thanks
@elhousseyn_arab
2 жыл бұрын
for me i use the can method to write my own exception in case of api's
@hassanfazeel2354
2 жыл бұрын
I use gates with request.
@NotBeHaris
2 жыл бұрын
Great content.
@alexaverkiyev9099
2 жыл бұрын
I think you already covered this in your Laravel Roles And Permissions video
@LaravelDaily
2 жыл бұрын
Well yeah, after 800+ videos I started repeating myself a bit, but trying to talk about the same topic from another angle. You would be surprised how many people hear it from this angl for the first time, and are thankful for the video.
@alexaverkiyev9099
2 жыл бұрын
I think you can make some courses from your already existing youtube videos, just grouping them and ordering and it would do well for many people. Some $5-10 course, as a 'tip' for grouping info for other people, since most of them are really lazy to search.
@LaravelDaily
2 жыл бұрын
I'm already kinda doing it, many of my courses are just grouped and re-shot videos that were on KZitem in some form. But also, a lot of people don't watch many of my videos, there are a lot of one timers.
@ДанилКравцив
2 жыл бұрын
Does bootXYZ() static function working in laravel 9, cuz i dont have any reactions on my code:(
@webtutorialIndia
2 жыл бұрын
Hi Povilas , I have one question, how can one able to replace database id key to a more secure string or number in browser url ? I have checked on the net but found no solution.
@LaravelDaily
2 жыл бұрын
Search for uuid
@ZhanOmar
2 жыл бұрын
I always do it by $task = auth()->user()->tasks()->findOrFail($id); but in my opinion it’s not so elegant and I can’t use route model bindings.
@vidhyaprakash85
2 жыл бұрын
4:31 how to pass admins not verify this ?
@NotBeHaris
2 жыл бұрын
What about id in url. Are we use uuid or any other option?
@LaravelDaily
2 жыл бұрын
Yes, you may use UUID if you want to hide the real IDs.
@nikkolumahang
2 жыл бұрын
Policies for me
@belidaiker.1368
Жыл бұрын
mine is different what should i type in my code because i have no idea.. this is my code public function order() { $order=order::all(); if(Auth::id()) {.... }else{... } } and my web.php is route::get('/order', [AdminController::class, 'order']);
Пікірлер: 56