I am updating a Laravel 5.2 project to restrict access based on an array of allowed user ids that I am extracting from an SSO token. The setup of my application is that there is a custom middleware class created to handle SSO stuff. I want users whose ids are in the restricted array to not be able to access certain pages. It works half-way: users whose ids are considered restricted can allow access an array of pages. However, those pages use API calls, and while the users can access those pages, when they view them the pages are broken because the API calls are being restricted.
Here's the relevent piece of code in my middleware:
//Check to see if user is limited access user
$user_id = $request->server('ssotokenid');
if(in_array($user_id, $this->restrictedUsers))
{
//If restricted user, ensure that requested page is within allowable access array
$uri = $request->path();
//If allowed page
if(in_array($uri, $this->allowedPagesArray))
return $next($request);
else
return redirect('/restricted-landing-page');
}
//Continue on to oher stuff here...this works fine
Here is an example of a page in my routes.php; note that I am using the controller method instead of get:
Route::controller('/subdashboard/subpage', 'Dashboard\PageController');
Here is an example of some methods within this controller:
class PageController extends DataController
{
protected $dashboard = 'my-dashboard';
protected $page = 'my-page';
private $table = 'my-db-table';
/**
* Render page
*
* @param \Illuminate\Http\Request $request
*
* @return \Illuminate\View\View
*/
public function getIndex()
{
return view("$this->dashboard/$this->page", [
'appUrl' => $this->rootPath,
]);
}
/**
* An example method and first API call that runs when the page loads
* @param none
* @return array
*/
public function getData()
{
$data= $this->db->table($this->table)
->lists('myfield');
return response()->json($data);
}
My view file for the page pulls in a js file. The first thing that loads is an API call to the getData method in the controller. Example:
function init()
{
//This should call the getData method in the above controller
//This fails here
$.getJSON(apiURL + '/data/')
.done( function(returnData) {
//do stuff with json response
})
}
The above API call fails, because the HTTP request is resolving to the allowedpage/data URL. The user is able to go to allowedpage, but anything after that fails because instead of fetching data from allowedpage/data, the request is redirected to 'restricted-landing-page'.
I have tried to use strpos to determine if URL contains allowedpage, but that is not working.
//If allowed page
if(in_array($uri, $this->allowedPagesArray))
return $next($request);
else
{
foreach($this->allowedPagesArrayas $page)
{
if(strpos($page, $uri) !== false)
return $next($request);
}
return redirect('/restricted-landing-page');
}
Does anyone have any ideas on how to resolve this?
via Chebli Mohamed
Aucun commentaire:
Enregistrer un commentaire