0

This will be a bit long question, I'm finishing my application, but there are few left things to be done before ending.

At first: I did few POST forms/functions. They works well, but in case I would not pass one of the $request data, it comes with SQL bug, I read that to manage that I need validation, so I made Request model with validation rules, but I dont know how to implement it into my Controller class.

This is how looks like my request model and create class inside of controller:

public function create(Request $request)
    {
        $id = Auth::id();
        $event = new Event;
        $event->name = $request->name;
        $event->description = $request->description;
        $event->address = $request->address;
        $event->date_of_event = $request->date_of_event;
        $event->displayed = 0;
        $event->photo_patch = $request->photo_patch->store('images','public');
        $event->club_id = $request->club_id;
        $event->user_id = $id;
        $event->save();

        return redirect('events');
    }
------------Request---------------------------
return [
            'name' => 'required|max:50',
            'description' => 'required|max:100',
            'address' => 'required|max:63',
            'date_of_event' =>'required',
            'photo_patch' =>'required',
            'club_id' =>'required',
        ];

Second thing to protect is to split views for admin and for user, Since I did authorization via Gate(admin-level) with column in db admin(boolean)

I'm thinking about doing validation like this:

public function index()
{
    $id = Auth::id();
    if (Gate::authorize('admin-level')){
        $events = Event::get();
    }
    else{
        $events = Event::where('user_id',$id)->get();
    }  
    return view('backend/event/index', ['events' => $events]);
}

but then, comes error:

Non static method 'authorize' should not be called statically.

Is there any way to bypass that? Or, is there any better/easier way to authorize?

My third problem is to protect users from making changes by other users.

What do I mean by that.

Every user got acces only to his own club/events BUT if someone would put url for example other ID, he can edit every single club/event he want. How can I prevent it? enter image description here

And my final question I'm protecting my routes with middleware auth is there any better way to do it?

Route::middleware(['auth'])->group(function() {

Thank you in advance for anwsers.

MichalGrab
  • 57
  • 1
  • 2
  • 9
  • 1
    Does this answer your question? [Why I'm getting 'Non-static method should not be called statically' when invoking a method in a Eloquent model?](https://stackoverflow.com/questions/18339716/why-im-getting-non-static-method-should-not-be-called-statically-when-invokin) – Martin Zeitler Aug 24 '21 at 22:05
  • It makes the question very complex when asking 3 questions in one. This could mean that your question will not be answered in the future as you kinda require people to answer all 3 questions. – mrhn Aug 24 '21 at 22:14
  • @mrhn I would have to spam 3 questions on stackoverflow, this would probably take me 3 hours since you can ask once every 90 mins. – MichalGrab Aug 24 '21 at 22:45
  • I see, but still think it is more about grouping it more logical together. As stackoverflow is also for the next guy who faces the same issue and grouping questions together is making indexing it harder. Meanwhile stackoverflow also wants to be binary there should be an arguably best answer that is not opinionated, the more questions you put in, there more fuzzy the answers would get. Just a thought going forward, for this one it was fine :) – mrhn Aug 24 '21 at 22:51

1 Answers1

1

Your gate should be called on the facade, which i do not believe you are doing. Please use the following gate class.

use Illuminate\Support\Facades\Gate;

Validation can be implemented by calling validate() on your request object. This will also automatically throw exceptions if failed.

$validated = $request->validate([
    'name' => 'required|max:50',
    'description' => 'required|max:100',
    'address' => 'required|max:63',
    'date_of_event' =>'required',
    'photo_patch' =>'required',
    'club_id' =>'required',
]);

Disallowing users from editing clubs. In general you control the access to objects, either with policies or with queries. This is an example with a policy.

public function find(Club $club) {
    $this->authorize('view', $club);
}

class ClubPolicy {
    public function view(User $user, Club $club)
    {
        return $club->user_id === $user->id;
    }
}
mrhn
  • 17,961
  • 4
  • 27
  • 46