0

I am creating a Laravel project for the users. Laravel has its own laravel/ui package, but I am creating its admin panel too, and I am a bit confused about what I should do for admins. Also, I am confused about the security for the admin panel. So there are 2 solutions in my mind:

  1. Add a new column in the user's table named status, and if its value is admin, he can access the admin panel; otherwise, redirect to the homepage.
  2. Create a separate admins table and improve laravel/ui auth. For that, I found documentation here.

What should I do? Even i have added table prefix for tables in .env & config/database.php. I am afraid that the hackers/users should not access the admin panel. And also, tell me if the table prefix is good for security, or should I remove the table prefix?

Karl Hill
  • 12,937
  • 5
  • 58
  • 95
Zain Shabir
  • 25
  • 7
  • 1
    You should use same table with `status` column. If you validate all requests, it is not easy to hack. Anyway you store has value of passwords. – Maksat Jul 06 '21 at 04:55
  • 1
    you same table but and add column of enum `role` and the enum contain `user` and `admin` then based on that you can create middleware check – Kamlesh Paul Jul 06 '21 at 05:16
  • Okay, thanks for the answers. Please check the updated question, I have added the last line about `table prefix` – Zain Shabir Jul 06 '21 at 05:18
  • I think this is more a question of semantics. Do you consider an admin to be different from a user or do you consider an admin to be a special kind of user? – apokryfos Jul 06 '21 at 05:40
  • @apokryfos A special kind of user, I mean he has access to admin panel to `create read update & delete the data`. But i am confused about the security and hackers, that's why i need a strong system, so one user/hackers can access admin panel except admins – Zain Shabir Jul 06 '21 at 05:45
  • 1
    I don't see how there's a difference between a new table and an additional "flag" in the existing table with respect to security. [authorisation](https://laravel.com/docs/8.x/authorization) allows you to set actions that only your admin can perform and add guards to those actions. the laravel permission package suggested in an answer is also a good alternative. – apokryfos Jul 06 '21 at 05:51
  • Yeah, I was just confused about the security, that's why i put the question here, so that you people can suggest me. Surely i am gonna use that `spatie laravel-permission package`. – Zain Shabir Jul 06 '21 at 06:01

1 Answers1

1

You need the permission-roles system.

https://spatie.be/docs/laravel-permission/v4/introduction

This is good decision for you. With well-configured routes no one wont have access in admin panel without access in data base.

For example, in panel page only admin have access:

Route::name('adminspace.')->group(['middleware' => ['role:admin']], function () {
        
    Route::view('/panel', 'pages.panel');
});
georgejornd
  • 26
  • 3
  • You mean i just have add one column `role` or `status` in users table? and check in the admin pages that if the role value is `admin` then open the page otherwise redirect to homepage? – Zain Shabir Jul 06 '21 at 05:12
  • 1
    No, u need read docs in the link above. Or you can find the tutorial on YouTube by looking for "Spatie Laravel-permission tutorial" – georgejornd Jul 06 '21 at 05:20