Laravel Policies to secure subobjects

Question

I have a quick question about Laravel Policies. I'm writing a very simple API. I have a Podcast object with some GET endpoints:

GET /api/podcasts => returns all podcasts
GET /api/podcasts/{podcast} => returns a given podcast

I'm using Policies bound to the Podcast model. And I use a $this->authorizeResource(Podcast::class); into the constructor of my PodcastController class. This works just fine, I can only access my own podcasts !

Now, I have subobjects, files for example. So I created a new endpoint:

GET /api/podcasts/{podcast}/files/{file} => returns a specific file of a podcast

I have added the $this->authorizeResource(Podcast::class); into the constructor of the FileController class. Doing this, I cannot enter any podcast ID into the URL, only my own, which is good. However I can enter any file ID into the URL including files not owned by a podcast belonging to me. For example :

GET /api/podcasts/1/files/3

Podcast #1 is mine, this is good However file #3 belongs to podcast #2 (not #1) which is NOT mine. I should get an unauthorized access at this point.

Any idea ? Thanks

Axel

score 0 · Answer 1 · answered May 13 '19 at 14:43

I actually found the beginning of a solution but I find it dirty. I wrote an explicit model binding condition:

        Route::bind('file', function($value, $router) {
            return File::where('podcast_id', $router->parameter('podcast'))->findOrFail($value);
        });

What do you guys think about it? Thanks

Laravel Policies to secure subobjects

1 Answers1