Prevent access using spatie permissions

[snapey]

I offer a solution for protecting the logs using Spatie's Laravel Permissions package;

Create a permission

For instance 'view-logs'. User will need this permission, or a role that provides this permission to access the logs.

Learn how to set up permissions

Create a middleware

app\Http\MiddlewareViewLogs.php

<?php

namespace App\Http\Middleware;

use Closure;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;

class ViewLogs
{
    public function handle(Request $request, Closure $next)
    {
        if (Auth::check() && Auth::user()->hasPermissionTo('view-logs')) {
            return $next($request);
        }

        abort(401, 'Unauthorised');
    }
}

Create a name for this middleware

In app\Http\Kernel.php

Add the following to $routeMiddleware array

        'view-logs' => \App\Http\Middleware\ViewLogs::class,

Add middleware to the the log viewer config

    /*
    |--------------------------------------------------------------------------
    | Log Viewer route middleware.
    |--------------------------------------------------------------------------
    | The middleware should enable session and cookies support in order for the Log Viewer to work.
    | The 'web' middleware will be applied automatically if empty.
    |
    */

    'middleware' => ['web', 'view-logs'],

[arukompas]

Great post @snapey ! 👏 Added some links to the Spatie's package for easier navigation 😄

[ghoshriju33]

I absolutely love the package middlewares provided by spatie/laravel-permission

If you have the package middlewares setup already, then you can easily use them in the log viewer route middleware.

Here is permalink to the doc:

https://spatie.be/docs/laravel-permission/v5/basic-usage/middleware#content-package-middleware

So using something like ['permission:publish articles|edit articles'] does the job very conveniently 😀

[bestiony]

easy and simple . thanks
is there a trick to limit access to certain files only
I did sth like this but it's not working properly

<?php

namespace App\Http\Middleware;

use App\Traits\HttpResponses;
use Closure;
use Illuminate\Auth\Access\AuthorizationException;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;
use Symfony\Component\HttpFoundation\Response;

class LogFileViewMiddleware
{
    use HttpResponses;
    /**
     * Handle an incoming request.
     *
     * @param  \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response)  $next
     */
    public function handle(Request $request, Closure $next): Response
    {
        $requestedLogFile = $request->query('file');
        $file_name = data_get(explode('-', $requestedLogFile), 1);
        $user = Auth::user();
        if (
            $file_name
            && $file_name != "api_user.log"
            && !$user->is_admin()
        ) {
            throw new AuthorizationException('You are not authorized to view this file');
        }
        return $next($request);
       
    }
}

`

[somarkn99]

@bestiony how to send token with blade file?

[somarkn99]

how to set the token in the blade file?
I try it with local storage but always I see 401

<script>
    window.LogViewer = @json($logViewerScriptVariables);

    // Add additional headers for LogViewer requests like so:
    var token = localStorage.getItem('Authorization');
    window.LogViewer.headers['Authorization'] ='Bearer ' + token;

</script>

[somarkn99]

@snapey can you help please?

[arukompas]

Is the token available in localStorage?

Use console.log to make sure it's available before it's added to Log Viewer's auth headers.

[somarkn99]

@arukompas Yes it is, I printed it with the console.log and I can see the value

check this please for more details:
https://stackoverflow.com/questions/78021498/authorizing-access-to-log-viewer-with-token

[arukompas]

@somarkn99 are you using Apache web server by any chance?

If so, check this:
https://stackoverflow.com/questions/26475885/authorization-header-missing-in-php-post-request/26791450#26791450

[mhgolij]

Hi, Just add this to middleware in config file:

    'middleware' => [
        'web',
        'can:view-logs', //this middleware provided by spatie
        \Opcodes\LogViewer\Http\Middleware\AuthorizeLogViewer::class,
    ],

[nerisonpitogo]

Great thanks.

[fahmiegerton]

I did everything in here, but in production, it always redirects to homepage, but in localhost, it works. Logs are empty. Maybe there's a special settings on production? Thanks

[arukompas]

Hey @fahmiegerton , when using custom authentication rules (not the viewLogViewer gate or LogViewer::auth($callback) callback), you should either disable the production authentication requirement in the Log Viewer config:

-    'require_auth_in_production' => true,
+    'require_auth_in_production' => false,

or remove the use of the Log Viewer's authorization middleware (also in the Log Viewer config):

    'middleware' => [
        'web',
-       \Opcodes\LogViewer\Http\Middleware\AuthorizeLogViewer::class,
    ],

    //
    
    'api_middleware' => [
        \Opcodes\LogViewer\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
-       \Opcodes\LogViewer\Http\Middleware\AuthorizeLogViewer::class,
    ],

[ApXaHgheJI]

@snapey
Maybe something like that even can be more easy - in case when you use Teams ( because for each team then you need to assign permission or role )
if (Auth::check() && Auth::user()->hasAnyRole('Super User')) { return $next($request); }