F
Filament4w ago
H4L1M

Redirect to Profile On UsersRessource

Am trying to redirect the user to his own profile if he's trying to view or edit his own record on UsersRessource Am hiding his record with ModifyQueryUsing on $table on UsersRessource But a user can just edit the URL to access his resources (Not talking about Authorisation) I want to redirect to the Profile page if the user tries to view or edit his own User Model Any help ?
3 Replies
H4L1M
H4L1MOP4w ago
On second thought, i think if someone is trying to be a hacker, he's not willing to go to his Profile.. I ll Stick to 403 But it would be nice to know how to do it
skyrowl
skyrowl4w ago
if you're using filament panels you can set up a policy for your users it will be something like 
public function viewAny(User $user)
{
  // if the user can access the list
  return true;
  // if he can't
  return false;
  // or
  return $user->isAdmin() // your own logic
}

public function view(User $user, User $record)
{
  // if he can access other records
  return $user->is($record);
  // if he can't
  return false;
  // or
  return $user->isAdmin() // your own logic
}
public function viewAny(User $user)
{
  // if the user can access the list
  return true;
  // if he can't
  return false;
  // or
  return $user->isAdmin() // your own logic
}

public function view(User $user, User $record)
{
  // if he can access other records
  return $user->is($record);
  // if he can't
  return false;
  // or
  return $user->isAdmin() // your own logic
}
this is pretty the same with other gates like edit, delete, ... and it will be automatically applied if you're using panels as said above else if you don't use panels you can still set up policies but you'd have to check if they can do whatever things they want to do to check just do something like auth()->user()->can('viewAny', User::class), auth()->user()->can('view', $record)
H4L1M
H4L1MOP3w ago
I solved it by Overriding the authorizeAccess method on EditUser Class to check if the user is trying to Edit his own Record Before actually testing the Authorization part , then redirect to the EditProfilePage Class ( from Joaopaulolndev\FilamentEditProfile Plugin ) 
protected function authorizeAccess(): void
{
  if (Auth::id() == $this->getRecord()->id) {
     redirect()->intended(EditProfilePage::getUrl());
     return;
  }
     abort_unless(static::getResource()::canEdit($this->getRecord()), 403);
}
protected function authorizeAccess(): void
{
  if (Auth::id() == $this->getRecord()->id) {
     redirect()->intended(EditProfilePage::getUrl());
     return;
  }
     abort_unless(static::getResource()::canEdit($this->getRecord()), 403);
}
the other part is treated om the UserPolicy.php as @skyrowl refered 
public function update(User $currentUser, User $targetUser): bool
{
  return ($targetUser->hasRole('super_admin') || $currentUser->is($targetUser))?false:$currentUser->can('update_user');
}
public function update(User $currentUser, User $targetUser): bool
{
  return ($targetUser->hasRole('super_admin') || $currentUser->is($targetUser))?false:$currentUser->can('update_user');
}
Want results from more Discord servers?
Add your server