Laravel-permission: Question: Sanctum

Created on 31 Mar 2020 · 2Comments · Source: spatie/laravel-permission

In Sanctum you can generate a token for a user like this:

$user->createToken(
 'laravel-forge', // role
 ['server:create', 'server:delete'] // permissions
);

//then check the token like this
$user->tokenCan('server:create');

Should I still use your package? Because it looks amazing...

Or just use the simpler Sanctum package?

question support

Source

SuperlativeEntity

Most helpful comment

Don't use Sanctum tokens' scopes as a permission check. Those scopes define what that token enables its owner to do. You still should check if the user has a permission to do the requested action.

Sanctum tokens that are generated for your own SPA will always return true for ->tokenCan(). The following is quoted from the Token Abilities section on Sanctum's documentation page:

For convenience, the tokenCan method will always return true if the incoming authenticated request was from your first-party SPA and you are using Sanctum's built-in SPA authentication.

hkan on 5 Apr 2020

👍2

All 2 comments

Don't use Sanctum tokens' scopes as a permission check. Those scopes define what that token enables its owner to do. You still should check if the user has a permission to do the requested action.

Sanctum tokens that are generated for your own SPA will always return true for ->tokenCan(). The following is quoted from the Token Abilities section on Sanctum's documentation page:

For convenience, the tokenCan method will always return true if the incoming authenticated request was from your first-party SPA and you are using Sanctum's built-in SPA authentication.

hkan on 5 Apr 2020

👍2

Thanks

SuperlativeEntity on 5 Apr 2020

Was this page helpful?

0 / 5 - 0 ratings