Restrict page if Auth::user()->id != user_id using middleware

Question

i use middleware to restrict the admin page from non-admins, and i can restrict pages with a list of "patients" from other users by using a policy, but if i use a policy. I have to repeat the code can() method in every function. If i use middleware to check if the user_id in the url == Auth::user()->id. I do not need to repeat this, but how do i get the user_id from the url in my middleware?

the route

Route::get('/patients/{patient}', 'PatientController@edit')

What i have now

PatientPolicy

public function view(User $user, Patient $patient)
    {
        // does this patient belong to user
        return $user->id == $patient->user_id;
    }

PatientController

public function edit(Patient $patient)
    {
        // authenticate logged in user
        $user = auth()->user();

        // can the loged in user do this?(policy)
        if($user->can('update', $patient)){
            return view('patient.edit-patient', compact('patient', 'user'));
        }
        return view('403');
    }

what i should have in a middleware

UserMiddleware

/**
 * @param $request
 * @param Closure $next
 * @return mixed
 */
public static function handle($request, Closure $next)
{
    if (Auth::check() && Auth::user()->id == User::patients()->user_id) {
        return $next($request);
    } else {
        return redirect()->route('login');
    }
}

Does somebody know how to check if the {patient} in the routes user_id == the logged in user()->id?

score 1 · Accepted Answer · answered Mar 31 '20 at 09:06

Since you have Illuminate\Http\Request object injected into handle function in middleware this is pretty straight forward to get patient id from url:

/**
 * @param $request
 * @param Closure $next
 * @return mixed
 */
public static function handle($request, Closure $next)
{
    $patientId = $request->patient; // patient id from url!

    $patient = Patient::find($patientId);

    if (!$patient) {
        return redirect()->back()->with(['message' => 'Patient not found!']);
    }

    if (Auth::check() && (int) Auth::user()->id === (int) $patient->id) {
        return $next($request);
    } else {
        return redirect()->route('login');
    }
}

O YEAH! This helped me alot, but i did need to tweak it a little bit. Because find gets a list of al the patients, but i only need to restrict the page of 1 patient that doesn't belong to that user. So i wil post how i fixed it thanks to your help. — Jeffrey van der Kruit, Mar 31 '20 at 09:32

score 0 · Answer 2 · answered Mar 31 '20 at 09:37

Thank you @Leorent,

Your answer helped me alot and this is how it got fixed

Route

Route::get('/patients/{patient}', 'PatientController@show')->middleware('user');

UserMiddeware

public static function handle($request, Closure $next)
    {
        $patientId = $request->patient->user_id; // user_id from patient in url!

        if (Auth::check() && (int) Auth::user()->id == $patientId) {
            return $next($request);
        } else {
            return redirect()->route('403');
        }
    }

Thanks again!

Restrict page if Auth::user()->id != user_id using middleware

2 Answers2