viewAnyUser / updateUser Problem #5687

beshoo · 2023-07-05T14:02:06Z

beshoo
Jul 5, 2023

Laravel Version: 10.14.1
Nova Version: 4.26.3
PHP Version: 8.1
Database Driver & Version: MariaDB
Operating System and Version: Windows 10
Browser type and version: Firefox 115

Description:

Hi Dev,

I would like to describe a problem related to user access control authorization.
We have two user roles: admin and staff.

Admin can see all users, while staff can only see their own record in the 'http://127.0.0.1:8000/dashboard/resources/users' using the following code:

public static function indexQuery(NovaRequest $request, $query): \Illuminate\Database\Eloquent\Builder
 {
     $user = $request->user();
     if ($user) {
         if ($user->isSuperAdmin()) {
             // User is a super-admin, return the full query
             return $query;
         } else {
             // User is not a super-admin, return only their own record

             return $query->where('id', $user->id);
         }
     } else {
         return $query;
     }
 }

But we need to give the user "staff" : viewAnyUser in order to see the User resource 'http://127.0.0.1:8000/dashboard/resources/users' limit to his user_id!

The problem is that if a staff user opens his profile EDIT Mode "http://127.0.0.1:8000/dashboard/resources/users/2/edit" and edits the URL with another user's ID e.g "http://127.0.0.1:8000/dashboard/resources/users/1/edit",
Then he can see and update that user's information.

If we deny the viewAnyUser permission from the policy, the staff user cannot see the User resource at all 'http://127.0.0.1:8000/dashboard/resources/users' I got a 403 error.

How can we secure the panel?

Answered by beshoo

Jul 6, 2023

class UserPolicy extends BasePolicy {

    public function update(Model $user, $model)
    {
         return $user->hasRole('staff') 
              ? $model->id === $user->id
              : parent::update($user, $model);
    }
    
    public function view(Model $user, $model)
    {
         return $user->hasRole('staff') 
              ? $model->id === $user->id
              : parent::view($user, $model);
    }
}

View full answer

beshoo · 2023-07-06T04:17:50Z

beshoo
Jul 6, 2023
Author

class UserPolicy extends BasePolicy {

    public function update(Model $user, $model)
    {
         return $user->hasRole('staff') 
              ? $model->id === $user->id
              : parent::update($user, $model);
    }
    
    public function view(Model $user, $model)
    {
         return $user->hasRole('staff') 
              ? $model->id === $user->id
              : parent::view($user, $model);
    }
}

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

viewAnyUser / updateUser Problem #5687

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

viewAnyUser / updateUser Problem #5687

Uh oh!

beshoo Jul 5, 2023

Description:

Replies: 1 comment

Uh oh!

beshoo Jul 6, 2023 Author

beshoo
Jul 5, 2023

beshoo
Jul 6, 2023
Author