Search
Question:
How to show encrypted user id in URL in Laravel?

Problem:

I created a URL to edit logged in user data here is my route:

Route::get('/admin/create/user', [UserController::class, 'createUser'])->name('create.user');

Route::post('/admin/store/user', [UserController::class, 'storeUser'])->name('store.user');

Route::get('/admin/edit/user/{user_id}', [UserController::class, 'editUser'])->name('edit.user');


When a user clicks the edit button they get this URL.

http://127.0.0.1:8000/admin/edit/user/160

If that user put 162 they can see another user's data!


How can I encrypt the user id, so that no one can see other user's data?

Here is my Controller's code:

namespace App\Http\Controllers\Admin;


use App\Http\Controllers\Controller;

use App\Mail\UserActivatedEmail;

use App\Mail\UserBlockedEmail;

use Illuminate\Http\Request;

use App\Models\Role;

use App\Models\User;

use App\Models\Division;

use App\Models\District;

use App\Models\BloodGroup;

use App\Models\SscBoard;

use App\Models\Occupation;

use Illuminate\Support\Carbon;

use Illuminate\Support\Facades\Auth;

use Illuminate\Support\Facades\DB;

use Illuminate\Support\Facades\Hash;

use Illuminate\Support\Facades\Mail;

use Intervention\Image\Facades\Image;

use Xenon\LaravelBDSms\Facades\SMS;

use Xenon\LaravelBDSms\Provider\AjuraTech;

use Xenon\LaravelBDSms\Sender;



class UserController extends Controller

{


    public function storeUser(Request $request) {

        $request->validate([

            'role_id' => 'required',

            'name' => 'required',

            'email' => 'required', 'string', 'email', 'max:255', 'unique:users',

        ]);


        $image = $request->file('profile_photo');


        if ($image) {

            $name_gen = uniqid() . '.' . $image->getClientOriginalExtension();

            Image::make($image)->save('backend/images/users/'.$name_gen);

            $save_url = 'backend/images/users/' . $name_gen;


            User::insert([

                'role_id' => $request->role_id,

                'name' => $request->name,

                'email' => $request->email,

                'phone' => $request->phone,

                'gender' => $request->gender,

                'occupation' => $request->occupation,

                'blood_group_id' => $request->blood_group_id,

                'ssc_year' => $request->ssc_year,

                'ssc_board_id' => $request->ssc_board_id,

                'ssc_role' => $request->ssc_role,

                'ssc_registration_no' => $request->ssc_registration_no,

                'present_division_id' => $request->present_division_id,

                'present_district_id' => $request->present_district_id,

                'present_address' => $request->present_address,

                'permanent_division_id' => $request->permanent_division_id,

                'permanent_district_id' => $request->permanent_district_id,

                'permanent_address' => $request->permanent_address,

                'description' => $request->description,

                'facebok' => $request->facebok,

                'password' => Hash::make($request->password),

                'profile_photo' => $save_url,

                'created_at' => Carbon::now(),

            ]);

        } else {

            User::insert([

                'role_id' => $request->role_id,

                'name' => $request->name,

                'email' => $request->email,

                'phone' => $request->phone,

                'gender' => $request->gender,

                'occupation' => $request->occupation,

                'blood_group_id' => $request->blood_group_id,

                'ssc_year' => $request->ssc_year,

                'ssc_board_id' => $request->ssc_board_id,

                'ssc_role' => $request->ssc_role,

                'ssc_registration_no' => $request->ssc_registration_no,

                'present_division_id' => $request->present_division_id,

                'present_district_id' => $request->present_district_id,

                'present_address' => $request->present_address,

                'permanent_division_id' => $request->permanent_division_id,

                'permanent_district_id' => $request->permanent_district_id,

                'permanent_address' => $request->permanent_address,

                'description' => $request->description,

                'facebok' => $request->facebok,

                'password' => Hash::make($request->password),

                'created_at' => Carbon::now(),

            ]);

        }


        $notification = [

            'message' => 'User Created Successfully',

            'alert-type' => 'success'

        ];


        return redirect()->route('all.users')->with($notification);

    }


    public function editUser($user_id) {

        $roles = Role::all();

        $alldivisions = Division::get();

        $alldistricts = District::get();

        $allpdivisions = Division::get();

        $allpdistricts = District::get();

        $bgroups = BloodGroup::get();

        $sscboards = SscBoard::get();

        $ocupations = Occupation::get();

        $editUser = User::findOrFail($user_id);


        return view('admin.users.edit', compact('roles','editUser', 'ocupations', 'alldivisions', 'alldistricts', 'allpdivisions', 'allpdistricts', 'bgroups', 'sscboards'));

    }


    public function updateUser(Request $request) {

        $user_id = $request->id;


        $image = $request->file('profile_photo');

        $oldimage = $request->oldimage;


        $userToEdit = User::findOrFail($user_id);


        


        if($image){

            $name_gen=uniqid().'.'.$image->getClientOriginalExtension();

            Image::make($image)->save('backend/images/users/'.$name_gen);

            $save_url = 'backend/images/users/'.$name_gen;

            if($oldimage){

                unlink($oldimage);

            }


            $user = User::findOrFail($user_id);

            $user->role_id = $request->role_id;

            $user->name = $request->name;

            $user->email = $request->email;

            $user->phone = $request->phone;

            $user->gender = $request->gender;

            $user->occupation = $request->occupation;

            $user->blood_group_id = $request->blood_group_id;

            $user->ssc_year= $request->ssc_year;

            $user->ssc_board_id= $request->ssc_board_id;

            $user->ssc_role= $request->ssc_role;

            $user->ssc_registration_no= $request->ssc_registration_no;

            $user->present_division_id = $request->present_division_id;

            $user->present_district_id = $request->present_district_id;

            $user->present_address = $request->present_address;

            $user->permanent_division_id = $request->permanent_division_id;

            $user->permanent_district_id = $request->permanent_district_id;

            $user->permanent_address = $request->permanent_address;

            $user->description = $request->description;

            $user->facebok = $request->facebok;


            $user->profile_photo = $save_url;



            //$user->save();

            $this->authorize('save', $userToEdit);


        }else{

            $user = User::findOrFail($user_id);

            $user->role_id = $request->role_id;

            $user->name = $request->name;

            $user->email = $request->email;

            $user->phone = $request->phone;

            $user->gender = $request->gender;

            $user->occupation = $request->occupation;

            $user->blood_group_id = $request->blood_group_id;

            $user->ssc_year= $request->ssc_year;

            $user->ssc_board_id= $request->ssc_board_id;

            $user->ssc_role= $request->ssc_role;

            $user->ssc_registration_no= $request->ssc_registration_no;

            $user->present_division_id = $request->present_division_id;

            $user->present_district_id = $request->present_district_id;

            $user->present_address = $request->present_address;

            $user->permanent_division_id = $request->permanent_division_id;

            $user->permanent_district_id = $request->permanent_district_id;

            $user->permanent_address = $request->permanent_address;

            $user->description = $request->description;

            $user->facebok = $request->facebok;

            $user->profile_photo =$oldimage;

            //$user->save();


            $this->authorize('save', $userToEdit);


        }

        $notification = [

            'message' => 'User Updated Successfully',

            'alert-type' => 'success'

        ];


        return redirect()->back()->with($notification);

    }

}



Solution 1:

You don't need to pass the user ID to URL , Just do it like this:


public function editUser() {

    $roles = Role::all();

    $alldivisions = Division::get();

    $alldistricts = District::get();

    $allpdivisions = Division::get();

    $allpdistricts = District::get();

    $bgroups = BloodGroup::get();

    $sscboards = SscBoard::get();

    $ocupations = Occupation::get();

    $editUser = User::findOrFail(Auth()->user()->id);


    return view('admin.users.edit', compact('roles','editUser', 'ocupations', 'alldivisions', 'alldistricts', 'allpdivisions', 'allpdistricts', 'bgroups', 'sscboards'));

}


and for route :

http://127.0.0.1:8000/admin/edit/user


And if you want to edit other users by yourself or with any other account, you should manage the routes and access levels in your project by using middleware or some packages like Spatie.


Answered By: >AMIN


Solution 2:

Instead of encryption, you should restrict the data's accessibility. meaning you only have to allow User A to access his/her data. If the user tries to access someone else's data, you should restrict the access.


Create a Middleware to cross-check current user

class CurrentUserOnly

{

    public function handle(Request $request, Closure $next): Response

    {

        $currentUserId = Auth::user()->getId();

        $requestedUserId = $request->get("user_id");


        // Check the requestedUserId is identical to current user's Id

        if ($currentUserId !== $requestedUserId){

           // Access denied, Handle error

           return abort(403, 'Access denied');

        }

 

        return $next($request);

    }

}



Add the Middleware to Routes

Route::get('/admin/edit/user/{user_id}', [UserController::class, 'editUser'])

     ->middleware(CurrentUserOnly::class);

     ->name('edit.user');



Answered by: >BadPiggie


Solution 3:

While I suggest reading into authorization, and Laravel Gates/Policies, for a simple a quick solution you can use the abort function. This function will throw an exception that will stop the request from proceeding further.

public function updateUser(Request $request) {

  abort_if(auth()->id() != $request->route('user_id'), 401);

  

  ...

}


Answered by: >kris gjika

Credit: >Stack Overflow


Read more:

>Use Firebase Realtime Database with ASP.NET MVC App

>Setting up a Cloud Composer environment: Step-by-step guide

>Built Web API using ASP.NET (C#)

>Plugins and Presets for Vuejs project

>How to Create an array based on two other arrays in Php

>Testing react components using Hooks and Mocks


Ritu Singh

Ritu Singh

Submit
0 Answers
Top Questions
30-09-2023

How to connect the Sql Server in the Docker container?

03-10-2023

Help me with the Laravel 10 access cookie data service provider

30-09-2023

How to access cookie data in all view-Laravel?

05-10-2023

Attempt to read property "data_audit" on array laravel view loop foreach

30-09-2023

How to fix : method not supported error?

Related Questions

How to set default datetime value to Filament v2 DateTimePicker field?
img
Make new Model/Controller/Migration in Laravel
img
Fix TailwindCSS classes not being recognized issue: Laravel
img
Why the policies in Laravel are not working
img
Checking records present in another database- Laravel
img