I've installed Laravel Nova and have it working 100%, however I can login in to production without having to authenticate?
if I go to mydomain.com/admin/login (I have 'path' => '/admin/login'; set in my config/nova.php) it takes me straight to the dashboard and I see 'Nova User' in the top right hand corner, it doesn't ask me for the username and password. However, if I go to mydomain/admin/login/login I'm asked for U and P, I login with my user credentiails, it takes me to the dashboard and shows my name in the top right hand corner correctly.
How do I prevent the non-authenticated access? This is what I have in the gate() method of my NovaServiceProvider (this is just a test email, I have my real email address in the live code): -
Gate::define('viewNova', function ($user) {
return in_array($user->email, [
'myemail#domain.com'
]);
});
I have updated the gate, cleared the cache and config.
Related
I am trying to test my Vue.js app authentication.
Assume, a user log in and to go to his profile the link would look like this.
https://website.com/profile/1
He can get to his page but what if he is a hacker and if he tried to type
https://website.com/profile/2
which will go to the profile of another person.
How can I redirect this hacker to the login page if he tried to go to a URL that does not belong to his profile?
Right now, I can stop him from viewing another people profile but still, he is still in the profile link even if he typed
https://website.com/profile/2
What I am trying to accomplish is that if users type a link that does not belong to his or her but which is valuable to other people it will redirect to the login page.
I am not storing User Data on the client side.
Firstly, you have to assume that the user is able to manipulate the webpage in any way and access all data stored on the client side. So you should not be storing sensitive data on the client that you do not want the user to access. (You may not be doing this, but I thought I should point it out.)
I assume you have a Profile component. You can use Vue Router navigation guards to authorize the transition and abort or redirect it if it is disallowed.
If the user is logged in then you are probably storing information about the logged in user on the client. You can use this to check if the profile page being visited belongs to the logged in user.
In your Profile component:
beforeRouteEnter(to, from, next) {
if (!loggedInUser) {
// User not logged in
next('/')
} else if (loggedInUser.id !== to.params.userId) {
// User is accessing profile page of another user, redirect
// to their profile page instead
next({ params: { userId: loggedInUser.id } })
} else {
next()
}
}
This is just an example of what you can do, I can't give a specific answer without knowing exactly how your app works.
I like to build a to do list for multi company on one server. I build a to do list, but now I like to "scale" to app to different "sub servers"
I like to explain it by this example
Start: example.com - There is a login button. When you enter your account you are redirect to a subdomain
company1.example.com Here is the to do list for company 1. This company uses his own database for example mongodb://localhost:27017/compagny1
When I direct go to company1.example.com without a login I will be redirected to example.com
I this possible or is there a other way to set user and database for meteor. I don't like to have multi servers for example: localhost:3001 localhost:3002 etc
Thank you for giving me a direction for this question
I would do something similar:
add user field to store company name.
(eg. user.company = company1)
use iron router and put a onBeforeAction to the page that user is redirected after login
onBeforeAction: function (pause) {
if (Meteor.user()) { // only if user is logged in
var comp = Meteor.user().company
if(comp == 'company1'){
this.render('company1'); // will render example.com/company1 if setup
}
// pause this rendering of the rest of the before hooks and the action function
pause();
}
},
Update: i do not think many databases would be great. I better recomend making separate collections for each companys todos and subscribe them individually.
I am in the middle of making an app using a PHP web service to log users in/authenticate their credentials.
I am using localStorage (part of phonegaps local storage API) to ensure the user doesnt have to keep logging in when they open the app. This is done by storing the username and password on local storage and checking it when the app opens. If they feel the need to log out I have a simple logout button binded to a tap event which clears their local storage.
$( '#logout' ).live( 'tap',function(event){
window.localStorage.clear();
$.mobile.changePage("#loginPage", {transition: "none"});
});
BUT... when logged out, they are still able to click the back button on the phone and get into the secure area, which doesnt make sense because the "welcome, (username)" part is all messed up etc...
Im wondering if there is a way to ensure that what ever page they open does some sort of check to make sure theyre logged in??
Bind into the pagebeforeshow event of the pages to check if the user is logged on - check if credentials are present in local storage.
If user is not logged on you can either call preventDefault to stop the pageChange or better redirect the user to a loggedOffPage by modifying the toPage passed into the handler.
Refer the Page change events section on JQM Events page.
I'm having a very weird issue with user logins.
I'm building a site where all the content/menus are only available after you login.
I made a 'login' through the Modules and assign it the "userlogin" position.
Now when I go to the home page or any page, the login box comes up, but there's also a second login form. It seems to be coming from com_user.
This com_user login form doesn't work. I can't login using any credentials. If it was working I can simply remove my login module.
Is there a way I can either:
get com_user to work with normal user logins
or
disable this and so I can only see the Module login.
I can hide it from CSS, but I want to know where it's coming from.
Check the menu link which you have created should be public.
If these are not public then whenever user clicks it, he/she will be asked for login. Thats why the second login option is coming up.
Any one know how to go back to the "last page" after a user is presented the login screen and chooses to create a new account?
Basically the sequence is this:
User tries to get to protected content
Redirected to login page
If he logs in he is redirected to original page
If he chooses "create new account" and fills it out, he is redirected to the home page
How do we get him automatically redirected to the original page (not a static page).
There are several ways to go about this. The most straight-forward is to have a login link somewhere in the navigation that appends the destination to the url. The code for this is something like:
<?php
if (user_is_anonymous()) {
$link = l(t('Login'), 'user/login', array('query' => drupal_get_destination()));
}
?>
You can also set a custom access denied page at admin/settings/error-reporting that could either go to a callback that outputs the above code, or to a simple php node that outputs that code.
Additionally, the user login block provided with Drupal core uses the same method to redirect a successful login back to the originating page.
Edit: Note that the above methods will rarely work for registration, because there are more steps involved there. Specifically, when a user needs to verify an email address, passing the originating destination along via the email would involve modifying the core user registration process.
It will potentially still work on a site configured to not verify email addresses. The idea then would be to provide 2 links: 1 for login and the other for registration, both passing along destination information.
LoginToboggan may also be worth pursuing, although it doesn't yet offer the exact registration feature you're looking for.
straight php would be to include a header of this form:
<?php header("Location: " . $_SERVER['HTTP_REFERER']); ?>
for more information refer to the php manual
EDIT:
you can also include a hidden field in your form and set it to
$url = $_SERVER['PHP_SELF']; // or HTTP_REFERER depending on the setup
include the header code snipped to your registration form.