Laravel: How can I write a policy class for API methods on a nested resource controller?

Question

I have a many to many relationship that I'm working with between User and Task models. A user belongs to many tasks and a task belongs to many users. I have a pivot table called task_user.

In my API, I have a route defined as follows:

Route::get('/users/{user}/tasks', 'TaskUserController@all');

I want to write a policy to enforce that the currently logged in user, auth()->user, is the user being requested in the route. Basically, a user can only view their own tasks.

How can I write a policy class for the nested resource controller TaskUserController?

mrhn · Accepted Answer · 2021-04-05T11:18:38.533

Nesting of your resource has nothing to do with making policies.

Make your UserPolicy.

class UserPolicy()
{
    public function view(User $authorizedUser, User $user) {
        return $authorizedUser->is($user);
    }
}

In your controller, you can authorize the action, with the authorize() helper. Alternatively it can be executed in your form request with Auth::user()->can().

class TaskController {
    public function all(User $user)) {
        $this->authorize('view', $user);

        return $user->tasks;
    }
}

Laravel: How can I write a policy class for API methods on a nested resource controller?

1 Answers1