Laravel 5.3 Auth block user

laravel authentication laravel-5.3 laravel-authorization
nameless picture nameless · Nov 16, 2016 · Viewed 8.2k times · Source

I have a question, I'm currently developing a little site with Laravel 5.3 and I'm using the Basic Auth from them for users to register and login.

Now I want the following: Everybody can register and login, but if I click on a button (as an admin), I can "block" one specific user (for example if he did something not allowed), I don't completely delete the row in the database, but somehow make sure that if the user tries to login he get's a message saying something like "you can't login any more, your account is blocked, contact admin for more info" or something similar. The question is: Whats the best way to do this? I didn't find something built in, correct me if I'm wrong... Ofcourse, I could just alter the users table and add a column called "blocked", set to false normally, then with the button, set it to true and then when logging in somehow checking for this value and (if it's true) showing this message and not allowing log in. Is this the best way to do this? If yes, where would I have to check for this value and how can I show the message then? If not, whats the better way?

Answer

jackel414 picture jackel414 · Nov 16, 2016

I would do what you're suggesting - use a blocked or active column to indicate if the user should be able to log in. When I've done something similar in the past, to check this value upon login, I moved the out-of-the-box login function into my LoginController and added to it a bit. My login method now looks like this:

/**
 * Handle a login request to the application.
 *
 * @param  \Illuminate\Http\Request  $request
 * @return \Illuminate\Http\Response
 */
public function login(Request $request)
{
    $this->validateLogin($request);

    $user = User::where('email', $request->email)->firstOrFail();
    if ( $user && !$user->active ) {
        return $this->sendLockedAccountResponse($request);
    }

    if ($this->hasTooManyLoginAttempts($request)) {
        $this->fireLockoutEvent($request);

        return $this->sendLockoutResponse($request);
    }

    if ($this->attemptLogin($request)) {
        return $this->sendLoginResponse($request);
    }

    $this->incrementLoginAttempts($request);

    return $this->sendFailedLoginResponse($request);
}

I also added these functions to handle users who weren't active:

/**
 * Get the locked account response instance.
 *
 * @param \Illuminate\Http\Request  $request
 * @return \Illuminate\Http\Response
 */
protected function sendLockedAccountResponse(Request $request)
{
    return redirect()->back()
        ->withInput($request->only($this->loginUsername(), 'remember'))
        ->withErrors([
            $this->loginUsername() => $this->getLockedAccountMessage(),
        ]);
}

/**
 * Get the locked account message.
 *
 * @return string
 */
protected function getLockedAccountMessage()
{
    return Lang::has('auth.locked')
            ? Lang::get('auth.locked')
            : 'Your account is inactive. Please contact the Support Desk for help.';
}

Related questions

Laravel: Auth::user()->id trying to get a property of a non-object

I'm getting the following error "trying to get a property of a non-object" when I submit a form to add a user, the error is apparently on the first line: Auth::user()->id of the following: $id = Auth::…

Read More
Laravel: What is "remember_token" in the "users" DB table?

Is it safe to use the remember_token in the users table for authenticating the user into the application? What is the purpose of this token? Currently, I'm using it in forms to check whether the user is logged in …

Read More
Laravel 5 check whether a user is logged in

I am new to Laravel 5 and trying to understand its Auth process. I want to prevent user to reach some of my pages unless the user is not logged in. Trying to make it with Route:filter but it does …

Read More