I had system for HR which contain record of staffs for different levels: 'pegawai', 'APR', 'KTA', 'PTK' in deparments.
I had created a few roles with different permission levels. permission is based on the staff levels and departments.
- superadmin - can access all records
- admin department - can access record in its department
- general admin - can access records for 'pegawai', 'APR', 'KTA' only in all departments
- admin KTAK - can access record for 'PTK' only.
I had created the permission access using this controller function:
public function index()
{
if (Auth::user()->hasPermissionTo('View Pegawai')) {
if (Auth::user()->hasPermissionTo('View APR')) {
if (Auth::user()->hasPermissionTo('View KTA')) {
if (Auth::user()->hasPermissionTo('View PTK')) {
if (Auth::user()->hasPermissionTo('All Sections')) {
//superadmin akses
$itemregistrations = DB::table('itemregistrations')
->join('sections', 'itemregistrations.sectionid', '=', 'sections.sectionid')
->join('categories', 'itemregistrations.categoryid', '=', 'categories.categoryid')
->join('operasi', 'itemregistrations.operasiid', '=', 'operasi.operasiid')
->select('itemregistrations.ItemRegistrationID','itemregistrations.name', 'itemregistrations.Nobadan', 'sections.sectionname', 'categories.categoryname', 'operasi.operasiname')
->get();
return view('profil.index', compact('itemregistrations'));
} //admin department akses
elseif (Auth::user()->hasPermissionTo('By Section')) {
$section = Auth::user()->section;
$itemregistrations = DB::table('itemregistrations')
->join('sections', 'itemregistrations.sectionid', '=', 'sections.sectionid')
->join('categories', 'itemregistrations.categoryid', '=', 'categories.categoryid')
->join('operasi', 'itemregistrations.operasiid', '=', 'operasi.operasiid')
->select('itemregistrations.*', 'sections.sectionname', 'categories.categoryname', 'operasi.operasiname')
->where('itemregistrations.sectionid', '=', $section)
->get();
// dd($itemregistrations);
return view('profil.index', compact('itemregistrations'));
}
}
//admin general akses
if (!Auth::user()->hasPermissionTo('View PTK'))
{
$ids = [1,2,3];
$itemregistrations = DB::table('itemregistrations')
->join('sections', 'itemregistrations.sectionid', '=', 'sections.sectionid')
->join('categories', 'itemregistrations.categoryid', '=', 'categories.categoryid')
->join('operasi', 'itemregistrations.operasiid', '=', 'operasi.operasiid')
->select('itemregistrations.*', 'sections.sectionname', 'categories.categoryname', 'operasi.operasiname')
->whereIn('itemregistrations.categoryid', $ids)
->get();
// dd($itemregistrations);
return view('profil.index', compact('itemregistrations'));
}
}
}
}//admin KTAK akses
elseif (!Auth::user()->hasPermissionTo('View Pegawai')) {
if (Auth::user()->hasPermissionTo('View PTK')) {
$ids = [4];
$itemregistrations = DB::table('itemregistrations')
->join('sections', 'itemregistrations.sectionid', '=', 'sections.sectionid')
->join('categories', 'itemregistrations.categoryid', '=', 'categories.categoryid')
->join('operasi', 'itemregistrations.operasiid', '=', 'operasi.operasiid')
->select('itemregistrations.*', 'sections.sectionname', 'categories.categoryname', 'operasi.operasiname')
->whereIn('itemregistrations.categoryid', $ids)
->get();
return view('profil.index', compact('itemregistrations'));
}
}
}
The controller will return http://127.0.0.1:8000/profil page.. In this page, the list display is according to the controller function above. in the page, the user can click on the name and display the details of the staff.
This is the route for the page
Route::group(['middleware' => ['web','auth']], function(){
//profil utama
Route::resource('profil', 'Modul\ProfilController');
//view maklumat kakitangan
Route::get('/view_profil/{id}', 'Modul\ProfilController@show')->name('viewProfil');
}
My problem is with the second route //view maklumat kakitangan Route::get('/view_profil/{id}', 'Modul\ProfilController@show')->name('viewProfil');
The data displayed with this url for example:
http://127.0.0.1:8000/view_profil/3
However, when I change the ID number at the back ('3') with
http://127.0.0.1:8000/view_profil/7
The page will display the details of staff with ID 7. Supposedly with role as admin department, he/she cannot view the staff data because he is from different department.
What can I use to secure the data according to the role? I had used
@if(Auth::check())
//display data here....
@endif
@if(Auth::guest())
<a href="/login" class="btn btn-info"> Anda tiada akses.</a>
@endif
But it doesn't work ..the data still can be displayed without authenticating the role..
via Chebli Mohamed
Aucun commentaire:
Enregistrer un commentaire