I am currently working on roles, and so far everything has been working well, until I notice something in one of the modules, the problem is the following, I have two role users, the admin can consult all the users of all the referrals, while the referred user can only see only their own users, and it works well, the problem is the url.
http://statisticrol.test/panel/selector?_token=wlk3QhMgeki2d96OlzYRZQ42L7VCOY2kMdAS5OQ8&tipo=3If I decide to change the number 3 to 5 I would be seeing the users of another referral, perhaps this has happened to many, and it is obviously a problem of privacy and security with what I intend, perhaps some way to hide or Encrypt a route get? or what should I do in these cases?
This is my view
@extends('layouts.layout')
@section('content')
<section class="content">
<!-- <div class="col-md-10 col-md-offset-1"> -->
<table style="width:98%; margin-left:auto; margin-right:auto" border="1">
<tr><td>
@if(Session::has('success'))
<div class="alert alert-info">
{{Session::get('success')}}
</div>
@endif
<div class="panel panel-default">
<div class="panel-body">
<h3>Usuarios votantes</h3><br>
<table style="width:100%;" border="0" >
<tr><td style="width:50%;" border="0">
<form action="{{route('usuario.fecha')}}" method="get" >
<table style="width:100%;" border="0">
<tr><td style="width:100%;" border="0">
<label for="from">Desde</label>
<input type="text" id="from" name="from" placeholder="Año-Mes-Dia">
<label for="to" >Hasta</label>
<input type="text" id="to" name="to" placeholder="Año-Mes-Dia">
<button type="submit" class="btn btn-primary">enviar</button>
</td></tr>
</table>
</form></td>
<td style="width:25%;" border="0">
<form action="{{route('usuario.selector')}}" method="get" style="width:50%;" border="1" >
<table style="width:100%;" border="0">
<tr><td style="width:100%;" border="0">
{{csrf_field()}}
<select name="tipo" id="tipo" class=" form-control" value="{{ old('tipo') }}" required style="width:150px">
@foreach($usuariosOpciones as $user_id => $usuario_ad)
<option value="{{ $user_id }}">{{ $usuario_ad }}</option>
@endforeach
</select>
</td>
<td style="width:50%;" border="1">
<button type="submit" class="btn btn-primary">enviar</button>
</td></tr>
</table>
</form></td>
<td style="width:25%;">
<form action="{{route('usuario.cedula')}}" method="get">
<table style="width:100%;" border="0">
<tr><td style="width:50%;" border="0">
{{csrf_field()}}
<input type="number" name="cc" id="cc" min="1111111" max="9999999999" class="form-control input-sm" value="{{ old('cedula') }}" placeholder="cedula" style="width:100%;"></td>
<td style="width:50%;" border="1"><button type="submit" class="btn btn-primary">enviar</button>
</td></tr>
</table>
</form>
</td></tr>
</table>
<br>
<div class="table-container">
<table id="mytable" class="table table-bordred table-striped table-bordered">
<thead>
<th>Usuario_ad</th>
<th>Nombre</th>
<th>Apellido</th>
<th>Cedula</th>
<th>Telefonos</th>
<th>Direccion</th>
<th>barrio</th>
<th>Lugar_v</th>
<th>Mesa_v</th>
<th>Email</th>
<th>Ciudad</th>
<th>Editar</th>
<th>Eliminar</th>
</thead>
<tbody>
@if($usuarios->count())
@foreach($usuarios as $usuario)
<tr>
<td>{{$usuario->usuario_ad}}</td>
<td>{{$usuario->nombre}}</td>
<td>{{$usuario->apellido}}</td>
<td>{{$usuario->cedula}}</td>
<td>{{$usuario->telefonos}}</td>
<td>{{$usuario->direccion}}</td>
<td>{{$usuario->barrio}}</td>
<td>{{$usuario->lugar_votacion}}</td>
<td>{{$usuario->mesa_votacion}}</td>
<td>{{$usuario->email}}</td>
<td>{{$usuario->ciudad}}</td>
<td><a class="btn btn-primary btn-xs" href="{{action('UsuarioController@edit', $usuario->id)}}" ><span class="glyphicon glyphicon-pencil"></span></a></td>
<td>
<form action="{{action('UsuarioController@destroy', $usuario->id)}}" method="post">
{{csrf_field()}}
<input name="_method" type="hidden" value="DELETE">
<button class="btn btn-danger btn-xs" type="submit"><span class="glyphicon glyphicon-trash"></span></button>
</form>
</td>
</tr>
@endforeach
@else
<tr>
<td colspan="8">No hay registro !!</td>
</tr>
@endif
</tbody>
</table>
</td></tr>
</table>
<!-- </div> -->
</div>
{{ $usuarios->links() }}
</div>
</div>
</section>
@endsection
@section('scripts')
<script src="https://code.jquery.com/ui/1.12.1/jquery-ui.js"></script>
<script>
$( function() {
$('#datepicker').datepicker({});
from = $( "#from" )
.datepicker({
dateFormat:'yy-mm-dd',
defaultDate: "+1w",
changeMonth: true,
numberOfMonths: 1
})
.on( "change", function() {
to.datepicker( "option", "minDate", getDate( this ) );
}),
to = $( "#to" ).datepicker({
dateFormat:'yy-mm-dd',
defaultDate: "+1w",
changeMonth: true,
numberOfMonths: 1
})
.on( "change", function() {
from.datepicker( "option", "maxDate", getDate( this ) );
});
function getDate( element ) {
var date;
try {
date = $.datepicker.parseDate( dateFormat, element.value );
} catch( error ) {
date = null;
}
return date;
}
} );
</script>
@endsectionThe section in question is the one that has the user.selector route, and this my method.
/**
* Display a listing of the resource.
*
* @return \Illuminate\Http\Response
*/
public function index(Request $request)
{
$registrado = \Auth::user()->tipos_usuarios_id;
$filtro = \Auth::user()->name;
if($registrado == 1)
{
$request->user()->authorizeRoles(['admin']);
$user=user::orderBy('id','DESC')->paginate(10);
$conteo=User::count();
return view('usuario.ecuenta')->with(["user" => $user, "conteo" => $conteo]);
}
if($registrado == 2)
{
$request->user()->authorizeRoles(['referido']);
$user=user::where("name", $filtro)->paginate(1);
$conteo=User::where("name", $filtro)->count();
return view('usuario.ecuenta')->with(["user" => $user, "conteo" => $conteo]);
}
}