I am trying to support the use of EITHER GET or POST methods in my REST controller in laravel.
So, I would like to redirect ANY get requests sent to our REST controller to the POST method in the SAME controller instead.
I have tried many things, and now have returned back to basics as follows:
routes.php
Route::resource('user', 'userController');
userController.php
class userController extends \BaseController {
public function index() {
return Redirect::action('userController#store');
}
public function store() {
echo 'yeeha!';
}
}
Performing a POST on the page works and outputs:
yeeha!
Performing a GET on the page produces:
Could not get any response
This seems to be like an error connecting to https://www.test.com/user. The response status was 0.
Check out the W3C XMLHttpRequest Level 2 spec for more details about when this happens.
I have tried many different redirects and none are successful.
The correct way is to do it is to use the routes file and just define it;
Routes.php
Route::get('/user', array ('as' => 'user.index', 'uses' => userController#store))
Route::post('/user', array ('as' => 'user.create', 'uses' => userController#store))
Controller
class userController extends \BaseController {
public function store() {
echo 'yeeha!';
}
}
Related
I am trying to redirect request if authorization is failed for it. I have following code:
class ValidateRequest extends Request{
public function authorize(){
// some logic here...
return false;
}
public function rules(){ /* ... */}
public function failedAuthorization() {
return redirect('safepage');
}
}
By default I am redirected to the 403 error page, but I would like to specify some specific route. I noticed that method failedAuthorization() is run, but redirect() method does not work...
Previously this code worked well with Laravel 5.1 but I used forbiddenResponse() method to redirect wrong request. How can I fix it with new LTS version?
Looks like it is impossible to redirect() directly from the custom ValidateRequest class. The only solution that I found is create custom exception and than handle it in the Handler class. So, now it works with following code:
Update: The method redirectTo() was updated to make solution work on Laravel 6.x and higher
app/Requests/ValidateRequest.php
class ValidateRequest extends Request{
public function authorize(){
// some logic here...
return false;
}
public function rules(){
return [];
}
public function failedAuthorization() {
$exception = new NotAuthorizedException('This action is unauthorized.', 403);
throw $exception->redirectTo("safepage");
}
}
app/Exceptions/NotAuthorizedException.php
<?php
namespace App\Exceptions;
use Exception;
class NotAuthorizedException extends Exception
{
protected $route;
public function redirectTo($route) {
$this->route = $route;
abort(Redirect::to($route));
}
public function route() {
return $this->route;
}
}
and app/Exceptions/Handler.php
...
public function render($request, Exception $exception){
...
if($exception instanceof NotAuthorizedException){
return redirect($exception->route());
}
...
}
So, it works, but much more slower than I expected... Simple measuring shows that handling and redirecting take 2.1 s, but with Laravel 5.1 the same action (and the same code) takes only 0.3 s
Adding NotAuthorizedException::class to the $dontReport property does not help at all...
Update
It runs much more faster with php 7.2, it takes 0.7 s
If you are revisiting this thread because in 2021 you are looking to redirect after failed authorization here's what you can do:
You cannot redirect from the failedAuthorization() method because it is expected to throw an exception (check the method in the base FormRequest class that you extend), the side effect of changing the return type is the $request hitting the controller instead of being handled on FormRequest authorization level.
You do not need to create a custom exception class, neither meddle with the Laravel core files like editing the render() of app/Exceptions/Handler.php, which will pick up the exception you threw and by default render the bland 403 page.
All you need to do is throw new HttpResponseException()
In the Laravel reference API we can see its job is to "Create a new HTTP response exception instance." and that is exactly what we want, right?
So we need to pass this Exception a $response. We can pass a redirect or JSON response!
Redirecting:
protected function failedAuthorization()
{
throw new HttpResponseException(response()->redirectToRoute('postOverview')
->with(['error' => 'This action is not authorized!']));
}
So we are creating a new instance of the HttpResponseException and we use the response() helper, which has this super helpful redirectToRoute('routeName') method, which we can further chain with the well known with() method and pass an error message to display on the front-end.
JSON:
Inspired by this topic
throw new HttpResponseException(response()->json(['error' => 'Unauthorized action!'], 403));
Thats'it.
You don't have to make ANY checks for validation or authorization in your controller, everything is done in the background before it hits the controller. You can test this by putting a dd('reached controller'); at the top of your controller method and it shouln't get trigered.
This way you keep your controller thin and separate concerns :)
Sidenote:
forbiddenResponse() has been replaced after lara 5.4 with failedAuthorization()
You can do through a middleware/policy i think. I don't know if you can do it from the validation.
You can override the function from FormRequest like this below:
/**
* Handle a failed authorization attempt.
*
* #return void
*
* #throws \Illuminate\Auth\Access\AuthorizationException
*/
protected function failedAuthorization()
{
throw new AuthorizationException('This action is unauthorized.');
}
And redirect where you want.
I have a complex set of rules that I build dynamically but ideally I need one set of rules to be validated before I move on to the next, i.e.
I have a json object {data: {}}, which I want to check exists before I move on to validate fields nested in data, which have other nested fields etc etc.
I thought about having one FormRequest class, say ApiRequest, which could validate data, then another, say UploadRequest, which adds further rules on the basis that the data has already been validated.
I can do this, and it works, by injecting ApiRequest inside the constructor of UploadRequest, which allows the full set of rules to be validated in ApiRequest, before moving on to the next set:
/**
* UploadRequest constructor.
* #param ApiRequest $apiRequest
*/
public function __construct(ApiRequest $apiRequest) {
// If we got here, ApiRequest passed validation, woo!
}
Does this seem like an anti pattern or the 'wrong' way to handle this?
I was trying to think of a request being made up of mini requests i.e. an upload request via the api is really an api request, followed by an upload request etc. But I'm not sure if I'm just trying to justify this to myself.
Any help would be greatly appreciated.
Thanks!
You can have one ApiRequest class that validates all mandatory parameters for all endpoints.
class ApiRequests extends FormRequest
{
public function rules()
{
return [
'data' => 'required',
'data.field_1' => 'required|string',
'data.field_2' => 'required|string'
];
}
}
And let's say your API has an endpoint that edits user's profile. And the request made to that endpoint must include first_name and last_name. So a new class that extends ApiRequest can be made:
class EditUserRequest extends ClientRequest
{
public function rules()
{
return array_merge(parent::rules(), [
'params.first_name' => 'required',
'params.last_name' => 'required',
]);
}
}
That will merge all rules from ApiRequest with those required for EditUserRequest.
And then in your controller (eg. UsersController):
public function update(EditUserRequest $request) {
.... your code goes here...
}
The controller redirect() method in Lithium does an actual HTTP redirect. But is there a method to simply forward a request to another controller/action without an HTTP redirect?
For example, say I want to add an authentication layer and rather than redirecting the user to a "/auth/login" page, the login layout and template get rendered rather than the content for the page they requested. Then, when they submit the form and they authenticate, they're already on the page they requested. Zend framework has something similar with a _forward() method.
Thanks!
There's no method, mostly because you can do it in about two lines of code:
<?php
namespace my_app\controllers;
use lithium\core\Libraries;
class PostsController extends \lithium\action\Controller {
public function index() {
$forward = Libraries::instance("controllers", "Auth", [
'request' => $this->request
]);
return $forward($this->request, ['action' => 'login']);
}
}
?>
I'm working on an ACL which is called in Module.php and attached to the bootstrap.
Obviously the ACL restricts access to certain areas of the site, which brings the need for redirects. However, when trying to use the controller plugin for redirects it doesn't work as the plugin appears to require a controller.
What's the best way to redirect outside from outside of a controller? The vanilla header() function is not suitable as I need to use defined routes.
Any help would be great!
Cheers-
In general, you want to short-circuit the dispatch process by returning a response. During route or dispatch you can return a response to stop the usual code flow stop and directly finish the result. In case of an ACL check it is very likely you want to return that response early and redirect to the user's login page.
You either construct the response in the controller or you check the plugin's return value and redirect when it's a response. Notice the second method is like how the PRG plugin works.
An example of the first method:
use Zend\Mvc\Controller\AbstractActionController;
class MyController extends AbstractActionController
{
public function fooAction()
{
if (!$this->aclAllowsAccess()) {
// Use redirect plugin to redirect
return $this->redirect('user/login');
}
// normal code flow
}
}
An example like the PRG plugin works:
use Zend\Mvc\Controller\AbstractActionController;
use Zend\Http\Response;
class MyController extends AbstractActionController
{
public function fooAction()
{
$result = $this->aclCheck();
if ($result instanceof Response) {
// Use return value to short-circuit
return $result
}
// normal code flow
}
}
The plugin could then look like this (in the second case):
use Zend\Mvc\Controller\Plugin\AbstractPlugin;
class AclCheck extends AbstractPlugin
{
public function __invoke()
{
// Check the ACL
if (false === $result) {
$controller = $this->getController();
$redirector = $controller->getPluginManager()->get('Redirect');
$response = $redirector->toRoute('user/login');
return $response;
}
}
}
In your question you say:
[...] it doesn't work as the plugin appears to require a controller.
This can be a problem inside the controller plugin when you want to do $this->getController() in the plugin. You either must extend Zend\Mvc\Controller\Plugin\AbstractPlugin or implement Zend\Mvc\Controller\Plugin\PluginInterface to make sure your ACL plugin is injected with the controller.
If you do not want this, there is an alternative you directly return a response you create yourself. It is a bit less flexible and you create a response object while there is already a response object (causing possible conflicts with both responses), but the plugin code would change like this:
use Zend\Mvc\Controller\Plugin\AbstractPlugin;
use Zend\Http\PhpEnvironment\Response;
class AclCheck extends AbstractPlugin
{
public function __invoke()
{
// Check the ACL
if (false === $result) {
$response = new Response;
$response->setStatusCode(302);
$response->getHeaders()
->addHeaderLine('Location', '/user/login');
return $response;
}
}
}
I want to test that my /login page is working well and rejecting invalid credentials i.e. not redirecting to the user's dashboard and showing an aller message identified here with the .alert HTML class. So I've created a test like this:
class AuthControllerTest extends Zend_Test_PHPUnit_ControllerTestCase {
...
public function testUserFailingLogin() {
$this->request->setPost(array(
'email' => 'wrong#email.com',
'password' => 'wrongpassword',
));
$this->request->setMethod('POST');
$this->dispatch('/login');
$this->assertQuery('.alert');
}
}
My problem is that the assertQuery() method is running against the render of login.phtml view file and is not including my Zend_Layout set up (that's where the .alert's are shown) and thereof, the assertQuery() assertion fails always.
Is there any way to get assert*Query*() assertions evaluating the full response ("layout" + "view"), instead of just the "view" part?
You(I) should use the undocumented outputBody() method.