Linking Spatie Permissions to Backpack UI show/hide - laravel-backpack

New to Laravel and Backpack here, but trying to integrate the PermissionManager with Backpack. I've got it all installed and showing the Users/Permissions/Roles in the UI, however I was unable to figure out how to show/hide buttons and functionality in the Backpack UI based on those permissions. I'm hoping someone can comment on the solution I came up with or if there is something else that should be used.
Note, this is really about showing and hiding UI elements, not the actual policies (which I am handling separately using the "can" functions in my controllers, routes, etc.)
My solution:
In my EntityCrudController, I use a trait I made called CrudPermissionsLink, then in setup() I call the function I made:
public function setup()
{
CRUD::setModel(\App\Models\ProgramUnit::class);
CRUD::setRoute(config('backpack.base.route_prefix') . '/programunit');
CRUD::setEntityNameStrings('programunit', 'program_units');
$this->linkPermissions();
}
Then in my trait, I have it simply defined based on a naming convention, splitting on dashes.
<?php
namespace App\Http\Traits;
use Illuminate\Support\Facades\Auth;
/**
* Properties and methods used by the CrudPermissionsLink trait.
*/
trait CrudPermissionsLink
{
/**
* Remove access to all known operations by default, reset them based on permissions defined in the format
* entity_name-operation
*
*/
public function linkPermissions()
{
$ui_ops = ['list','create','delete','update'];
$user = Auth::user();
$this->crud->denyAccess($ui_ops);
foreach($ui_ops as $op){
$perm_name = "{$this->crud->entity_name}-{$op}";
if($user->can($perm_name)){
$this->crud->allowAccess($op);
}
}
}
}


What you have will work. That said, I recently created a similar solution for my apps. For my solution, I used an abstract Crud controller as below and all my specific crud controllers extend this class:
<?php
namespace App\Http\Controllers;
use Illuminate\Support\Facades\Gate;
use Illuminate\Database\Eloquent\Model;
use Backpack\CRUD\app\Http\Controllers\Operations\ListOperation;
use Backpack\CRUD\app\Http\Controllers\Operations\CreateOperation;
use Backpack\CRUD\app\Http\Controllers\Operations\UpdateOperation;
use Backpack\CRUD\app\Http\Controllers\Operations\DeleteOperation;
use Backpack\CRUD\app\Http\Controllers\CrudController as BaseCrudController;
abstract class CrudController extends BaseCrudController
{
use ListOperation, DeleteOperation;
use CreateOperation { store as traitStore; }
use UpdateOperation { update as traitUpdate; }
/**
* All possible CRUD "actions"
*/
public const CRUD_ACTION_CREATE = 'create';
public const CRUD_ACTION_LIST = 'list'; // synonymous with "read"
public const CRUD_ACTION_UPDATE = 'update';
public const CRUD_ACTION_DELETE = 'delete';
public const CRUD_ACTION_REORDER = 'reorder';
public const CRUD_ACTION_REVISIONS = 'revisions';
/**
* #var array An array of all possible CRUD "actions"
*/
public const ACTIONS = [
self::CRUD_ACTION_CREATE,
self::CRUD_ACTION_LIST,
self::CRUD_ACTION_UPDATE,
self::CRUD_ACTION_DELETE,
self::CRUD_ACTION_REORDER,
self::CRUD_ACTION_REVISIONS,
];
/**
* #var array An array of all CRUD "actions" that are not allowed for this resource
* Add any of the CRUD_ACTION_X constants to this array to prevent users accessing
* those actions for the given resource
*/
public $_prohibitedActions = [
self::CRUD_ACTION_REORDER, // not currently using this feature
self::CRUD_ACTION_REVISIONS, // not currently using this feature
];
/**
* Protect the operations of the crud controller from access by users without the proper
* permissions
*
* To give a user access to the operations of a CRUD page give that user the permissions below
* (where X is the name of the table the CRUD page works with)
*
* `X.read` permission: users can view the CRUD page and its records
* `X.create` permission: users can create records on the CRUD page
* `X.update` permission: users can update records on the CRUD page
* `X.delete` permission: users can delete records on the CRUD page
* `X.reorder` permission: users can reorder records on the CRUD page
* `X.revisions` permission: users can manage record revisions on the CRUD page
*
* #return void
*/
public function setupAccess(): void
{
// get the name of the table the crud operates on
$table = null;
if (isset($this->crud->model) && $this->crud->model instanceof Model) {
/** #var Model $this->crud->Model; */
$table = $this->crud->model->getTable();
}
// for each action, check if the user has permissions
// to perform that action and enforce the result
foreach (self::ACTIONS as $action) {
$requiredPermission = "$table.$action";
// If our model has no $table property set deny all access to this CRUD
if ($table && !$this->isProhibitedAction($action) && Gate::check($requiredPermission)) {
$this->crud->allowAccess($action);
continue;
}
$this->crud->denyAccess($action);
}
}
/**
* Check if the given action is allowed for this resource
* #param string $action One of the CRUD_ACTION_X constants
* #return bool
*/
public function isProhibitedAction($action): bool
{
return in_array($action, $this->_prohibitedActions, true);
}
/**
* Setup the CRUD page
* #throws \Exception
*/
public function setup(): void
{
$this->setupAccess();
}
}

Related

Laravel Backpack - Impersonate Operation

Im trying to create an impersonate operation within my user controller, I have been following this guide..
impersonate for backpack
The setupImpersonateDefaults function gets called ok but i get a 404 error, after some testing i figured out the setupImpersonateRoutes is not getting triggered
Any ideas on why?
<?php
namespace App\Http\Controllers\Admin\Operations;
use Backpack\CRUD\app\Library\CrudPanel\CrudPanelFacade as CRUD;
use Illuminate\Support\Facades\Route;
use Session;
use Alert;
trait ImpersonateOperation
{
/**
* Define which routes are needed for this operation.
*
* #param string $segment Name of the current entity (singular). Used as first URL segment.
* #param string $routeName Prefix of the route name.
* #param string $controller Name of the current CrudController.
*/
protected function setupImpersonateRoutes($segment, $routeName, $controller)
{
Route::get($segment.'/{id}/impersonate', [
'as' => $routeName.'.impersonate',
'uses' => $controller.'#impersonate',
'operation' => 'impersonate',
]);
}
/**
* Add the default settings, buttons, etc that this operation needs.
*/
protected function setupImpersonateDefaults()
{
CRUD::allowAccess('impersonate');
CRUD::operation('impersonate', function () {
CRUD::loadDefaultOperationSettingsFromConfig();
});
CRUD::operation('list', function () {
// CRUD::addButton('top', 'impersonate', 'view', 'crud::buttons.impersonate');
CRUD::addButton('line', 'impersonate', 'view', 'crud::buttons.impersonate');
});
}
/**
* Show the view for performing the operation.
*
* #return Response
*/
public function impersonate()
{
CRUD::hasAccessOrFail('impersonate');
// prepare the fields you need to show
$this->data['crud'] = $this->crud;
$this->data['title'] = CRUD::getTitle() ?? 'Impersonate '.$this->crud->entity_name;
$entry = $this->crud->getCurrentEntry();
backpack_user()->setImpersonating($entry->id);
Alert::success('Impersonating '.$entry->name.' (id '.$entry->id.').')->flash();
// load the view
return redirect('dashboard');
// load the view
//return view('crud::operations.impersonate', $this->data);
}
}
Have tried following the guides and the routes are not getting added.

for anyone else looking at this, you need to call the route from the \routes\backpack\custom.php file, if its not called from this file it wont trigger the setupXXXRoute function

One of the official Backpack team members has created an add-on for impersonating users. You can use his add-on or get inspiration from it:
https://github.com/maurohmartinez/impersonate-users-backpack-laravel

Is it possible to disable lazy loading for ODM Doctrine?

We are developing API with Silex and Doctrine (ODM) and we have object Story, which have property images.
class Story extends AbstractDocument
{
/** #MongoDB\Id */
protected $id;
/**
* #MongoDB\ReferenceMany(
* targetDocument="MyNamespace\Documents\Image",
* storeAs="DBRef"
* )
*/
protected $images = [];
// Other properties and methods
}
We have get method in repository (in AbstractRepository, from which extends all other repositories).
public function get(string $documentId) : array
{
$document = $this->createQueryBuilder()
->field('id')->equals($documentId)
->hydrate(false)
->getQuery()
->toArray();
}
This method returns embedded and referenced objects, but for referenceMany returns only ids without data.
Is it possible to deny lazy loading to get all documents ?
One possible solution, which we found - rewrite method toArray.

As soon as you use ->hydrate(false) you are instructing ODM to get out of your way and return you raw data from MongoDB. You are seeing the referenceMany as an array of ids because that is the raw representation, no lazy loading is involved.
The cleanest way to solve your issue would be implementing StoryRepository which would fire an additional query to get referenced images:
public function get(string $documentId) : array
{
$document = $this->createQueryBuilder()
->field('id')->equals($documentId)
->hydrate(false)
->getQuery()
->toArray();
$document['images'] = /* ... */;
return $document;
}

TYPO3: get all FE users

I am trying to create a user management module. I would like to get all FE users.
This is my Controller:
/**
* #var \TYPO3\CMS\Extbase\Domain\Repository\FrontendUserRepository
* #inject
*/
protected $feUserRepository;
then I use:
$users = $this->feUserRepository->findAll();
$this->view->assign('users', $users);
but all I get is an empty object.
EDIT:
for some reason
$this->feUserRepository->findByUId(1);
does work but findAll() not...

This is because extbase will silently disable the respectStoragePage setting on the querySettings for a findByUid($uid) call.
So, you have two options:
Provide the correct storage pid in the TypoScript configuration of your plugin (plugin.tx_myextension.persistence.storagePid). This way, you will find every frontenduser that is stored on the given page.
You could implement your own FrontendUserRepository that extends the repository from extbase but disables the respectStoragePage for all calls (this way you'll get every frontendUser regardless of the page the record is stored on). Here is how you do it:
use TYPO3\CMS\Extbase\Domain\Repository\FrontendUserRepository as ExtbaseFrontendUserRepository;
class FrontendUserRepository extends ExtbaseFrontendUserRepository
{
/**
* Disable respecting of a storage pid within queries globally.
*/
public function initializeObject()
{
$defaultQuerySettings = $this->objectManager->get(\TYPO3\CMS\Extbase\Persistence\Generic\Typo3QuerySettings:class);
$defaultQuerySettings->setRespectStoragePage(false);
$this->setDefaultQuerySettings($defaultQuerySettings);
}
}
In your Controller you then inject your FrontendUserRepository. Then you should do the same for the FrontendUser Model and tell extbase afterwards that you are using the fe_users table for your Model:
config.tx_extbase {
persistence {
classes {
Vendor\MyExtension\Domain\Model\FrontendUser {
mapping {
tableName = fe_users
}
}
}
}
}

API Platform custom operation with custom parameter

I just started using the dunglas api platform. Im using v2.0.0-rc1 and i added an custom operation to enabled/disable an user.
This is my custom action for the user
<?php
namespace Zoef\UserBundle\Action;
use Zoef\UserBundle\Entity\User;
use Doctrine\Common\Persistence\ManagerRegistry;
use Sensio\Bundle\FrameworkExtraBundle\Configuration\Method;
use Symfony\Component\Routing\Annotation\Route;
class UserAction
{
/**
* #Route(
* name="enabled_user",
* path="/users/{id}/enabled",
* defaults={"_api_resource_class"=User::class, "_api_item_operation_name"="enabled"}
* )
* #Method("PUT")
*/
public function __invoke(User $user)
{
if($user->isEnabled()) {
$user->setEnabled(false);
} else {
$user->setEnabled(true);
}
return $user;
}
}
When i go to my docs the custom operation is added and functional but to use this action i need to send 4 parameters: email, fullname, username, enabled. but i only want to send the enabled parameter and the id of the user is given in the route but i cant find in the doc how to change the parameters.
Can someone help me with this?

I was trying to make the same enable/disabled and I did it this way:
I created a custom controller in AppBundle\Controller\AddressController
use Symfony\Bundle\FrameworkBundle\Controller\Controller;
class AddressController extends Controller
{
public function enableAction($data)
{
$data->setActive(true);
$em = $this->getDoctrine()->getManager();
$em->persist($data);
$em->flush();
return $data;
}
}
In my routing.yml I have:
address_enable:
path: '/addresses/{id}/enable'
methods: ['PUT']
defaults:
_controller: 'AppBundle:Address:enable'
_api_resource_class: 'AppBundle\Entity\Address'
_api_item_operation_name: 'enable'
In my entity, I have:
* #ApiResource(
* itemOperations={
* "enable"={"route_name"="address_enable"},
* }
* )
And after that I just send it as URL/addresses/123/enable no need to send more parameters, just the id.

How to handle entity update (PUT request) in REST API using FOSRestBundle

I am prototyping a REST API in Symfony2 with FOSRestBundle using JMSSerializerBundle for entity serialization. With GET request I can use the ParamConverter functionality of SensioFrameworkExtraBundle to get an instance of an entity based on the id request parameter and when creating a new entity with POST request I can use the FOSRestBundle body converter to create a new instance of the entity based on the request data. But when I want to update an existing entity, using the FOSRestBundle converter gives an entity without id (even when the id is sent with the request data) so if I persist it, it will create a new entity. And using SensioFrameworkExtraBundle converter gives me the original entity without the new data so I would have to manually get the data from the request and call all the setter methods to update the entity data.
So my question is, what is the preferred way to handle this situation? Feels like there should be some way to handle this using the (de)serialization of the request data. Am I missing something related to the ParamConverter or JMS serializer that would handle this situation? I do realize that there are many ways to do this kind of things and none of them are right for every use case, just looking for something that fits this kind of rapid prototyping you can do by using the ParamConverter and minimal code required to be written in the controllers/services.
Here is an example of a controller with the GET and POST actions as described above:
namespace My\ExampleBundle\Controller;
use My\ExampleBundle\Entity\Entity;
use Symfony\Bundle\FrameworkBundle\Controller\Controller;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Validator\ConstraintViolationListInterface;
use Sensio\Bundle\FrameworkExtraBundle\Configuration\Route;
use Sensio\Bundle\FrameworkExtraBundle\Configuration\Method;
use Sensio\Bundle\FrameworkExtraBundle\Configuration\ParamConverter;
use FOS\RestBundle\Controller\Annotations as Rest;
use FOS\RestBundle\View\View;
class EntityController extends Controller
{
/**
* #Route("/{id}", requirements={"id" = "\d+"})
* #ParamConverter("entity", class="MyExampleBundle:Entity")
* #Method("GET")
* #Rest\View()
*/
public function getAction(Entity $entity)
{
return $entity;
}
/**
* #Route("/")
* #ParamConverter("entity", converter="fos_rest.request_body")
* #Method("POST")
* #Rest\View(statusCode=201)
*/
public function createAction(Entity $entity, ConstraintViolationListInterface $validationErrors)
{
// Handle validation errors
if (count($validationErrors) > 0) {
return View::create(
['errors' => $validationErrors],
Response::HTTP_BAD_REQUEST
);
}
return $this->get('my.entity.repository')->save($entity);
}
}
And in config.yml I have the following configuration for FOSRestBundle:
fos_rest:
param_fetcher_listener: true
body_converter:
enabled: true
validate: true
body_listener:
decoders:
json: fos_rest.decoder.jsontoform
format_listener:
rules:
- { path: ^/api/, priorities: ['json'], prefer_extension: false }
- { path: ^/, priorities: ['html'], prefer_extension: false }
view:
view_response_listener: force

If you are using PUT, according to REST, you should use a route for the update with the id of the entity in question in the route itself like /entity/{entity}. FOSRestBundle does it that way too.
In your case this should be something like:
/**
* #Route("/{entityId}", requirements={"entityId" = "\d+"})
* #ParamConverter("entity", converter="fos_rest.request_body")
* #Method("PUT")
* #Rest\View(statusCode=201)
*/
public function putAction($entityId, Entity $entity, ConstraintViolationListInterface $validationErrors)
EDIT: It would actually be even better to have two entities injected. One being the current database state and one being the sent data from the client. You can achieve this with two ParamConverter-annotations:
/**
* #Route("/{id}", requirements={"id" = "\d+"})
* #ParamConverter("entity")
* #ParamConverter("entityNew", converter="fos_rest.request_body")
* #Method("PUT")
* #Rest\View(statusCode=201)
*/
public function putAction(Entity $entity, Entity $entityNew, ConstraintViolationListInterface $validationErrors)
This will load the current db state into $entity and the uploaded data into $entityNew. Now you can merge the data as you see fit.
If it's fine for you to just overwrite the data without merging/checking, then use the first option. But keep in mind that this would allow creating a new entity if the client sends a not yet used id if you do not prevent that.

Seems one way would be to use Symfony Form component (with SimpleThingsFormSerializerBundle) as described in http://williamdurand.fr/2012/08/02/rest-apis-with-symfony2-the-right-way/#post-it
Quote from SimpleThingsFormSerializerBundle README:
Additionally all the current serializer components share a common flaw: They cannot deserialize (update) into existing object graphs. Updating object graphs is a problem the Form component already solves (perfectly!).

I also had a problem with the processing of PUT requests using JMS serializer. First of all I would like to automate the processing of queries using the serializer. The put request may not contain the complete data. Part of the data must be map on entity. You can use my simple solution:
/**
* #Route(path="/edit",name="your_route_name", methods={"PUT"})
*
* This parameter is using for creating a current fields of request
* #RequestParam(
* name="id",
* requirements="\d+",
* nullable=false,
* allowBlank=true,
* strict=true,
* )
* #RequestParam(
* name="some_field",
* requirements="\d{13}",
* nullable=true,
* allowBlank=true,
* strict=true,
* )
* #RequestParam(
* name="some_another_field",
* requirements="\d{13}",
* nullable=true,
* allowBlank=true,
* strict=true,
* )
* #param Request $request
* #param ParamFetcher $paramFetcher
* #return Response
*/
public function editAction(Request $request, ParamFetcher $paramFetcher)
{
//validate parameters
$paramFetcher->all();
/** #var EntityManager $em */
$em = $this->getDoctrine()->getManager();
$yourEntity = $em->getRepository('YourBundle:SomeEntity')->find($paramFetcher->get('id'));
//get request params (param fetcher has all params, but we need only params from request)
$data = $request->request->all();
$this->mapDataOnEntity($data, $yourEntity, ['some_serialized_group','another_group']);
$em->flush();
return new JsonResponse();
}
Method mapDataOnEntity you can locate in some trait or in you intermediate controller class. Here is his implementation of this method:
/**
* #param array $data
* #param object $targetEntity
* #param array $serializationGroups
*/
public function mapDataOnEntity($data, $targetEntity, $serializationGroups = [])
{
/** #var object $source */
$sourceEntity = $this->get('jms_serializer')
->deserialize(
json_encode($data),
get_class($targetEntity),
'json',
DeserializationContext::create()->setGroups($serializationGroups)
);
$this->fillProperties($data, $targetEntity, $sourceEntity);
}
/**
* #param array $params
* #param object $targetEntity
* #param object $sourceEntity
*/
protected function fillProperties($params, $targetEntity, $sourceEntity)
{
$propertyAccessor = new PropertyAccessor();
/** #var PropertyMetadata[] $propertyMetadata */
$propertyMetadata = $this->get('jms_serializer.metadata_factory')
->getMetadataForClass(get_class($sourceEntity))
->propertyMetadata;
foreach ($propertyMetadata as $realPropertyName => $data) {
$serializedPropertyName = $data->serializedName ?: $this->fromCamelCase($realPropertyName);
if (array_key_exists($serializedPropertyName, $params)) {
$newValue = $propertyAccessor->getValue($sourceEntity, $realPropertyName);
$propertyAccessor->setValue($targetEntity, $realPropertyName, $newValue);
}
}
}
/**
* #param string $input
* #return string
*/
protected function fromCamelCase($input)
{
preg_match_all('!([A-Z][A-Z0-9]*(?=$|[A-Z][a-z0-9])|[A-Za-z][a-z0-9]+)!', $input, $matches);
$ret = $matches[0];
foreach ($ret as &$match) {
$match = $match == strtoupper($match) ? strtolower($match) : lcfirst($match);
}
return implode('_', $ret);
}

The best way is using JMSSerializerBundle
The problem is JMSSerializer initializes with the default ObjectConstructor for deserialization (setting the fields that are not in the request as null, and making that merge method will also persist null properties to database). So you need to switch this one with the DoctrineObjectConstructor.
services:
jms_serializer.object_constructor:
alias: jms_serializer.doctrine_object_constructor
public: false
Then just deserialize and persist the entity, and it will be filled with the missing fields. When you save to database only the attributes that have changed will be updated on the database:
$foo = $this->get('jms_serializer')->deserialize(
$request->getContent(),
'AppBundle\Entity\Foo',
'json');
$em = $this->getDoctrine()->getManager();
$em->persist($foo);
$em->flush();
Credits to: Symfony2 Doctrine2 De-Serialize and Merge Entity issue

I'm having the same issue as you described, I just do the entity merging manually:
public function patchMembersAction($memberId, Member $memberPatch)
{
return $this->members->updateMember($memberId, $memberPatch);
}
This calls method that does the validation, and then manually calls all the required setter methods. Anyway, I'm wondering about writing my own param converter for such cases.

Another resource which helped me a lot is http://welcometothebundle.com/symfony2-rest-api-the-best-2013-way/. A step by step tutorial which filled in the blanks I had after the resource in the previous comment. Good luck!