Allow CRUD only to Auth::user that owns the ressource

Question

I currently work on a project where the User creates Models, that only he/she is allowed to see, edit or delete.

The Create Part done by Eloquent Relationships, but for the other operations I would like to combine it with Route Model binding and not manually in the controller. I tried solving it with middlewares, but I couldn't access the Ressource.

Can somebody point me to the right Direction, any best Practices are welcome!

score 2 · Accepted Answer · answered Jul 12 '15 at 00:36

Personally I use route model binding, but only allow the model to bind if the user owns the record.

This means that no matter what - people can never access someone elses record. So for example, in my route I can do

    $router->get('property/{property}, ['uses' => PropertyController@show]);

Then in my RouteServiceProvider:

    $router->bind('property', function($value) {

        $property = \App\Property::findOrFail($value);

        if ((int)$property->user_id !== (int)auth()->id()) {
            abort (404);
        }

        return $property;
    });

So in the example above - we have a property route, and it will try and find the property record given. It will then check that the user owns the record, otherwise it throws a 404 (but you could just redirect or something - up to you).

I was looking for an answer like that, middlewares and/or requests would make it too complicated. Thank you! — Florian Bauer, Jul 12 '15 at 01:12

Allow CRUD only to Auth::user that owns the ressource

1 Answers1