Question 15304 in Laravel Question posted in
The official Laravel Documentation can be found here.

Laravel 10.4: Problem with policy. User Users should only edit their own posts

I Newbie and am trying to learn Laravel, and I am doing some exercises for Laravel’s main functions.
I have created a Dashboard where users can add their own posts, however I have noticed that when I open the page to edit the post and change the post ID in the URL, the page opens to edit another user’s post. In this case, I would like the 403 page to be displayed. I have followed the instructions on the Laravel website (https://laravel.com/docs/10.x/authorization#writing-policies) to set a policy, but with these instructions I get the 403 page in every post-edit, even in those where I am the owner.
users are related to the Posts in the DB via the user_id column.
Who can help me?

postpolicy.php

use AppModelsPost;
use AppModelsUser;
use IlluminateAuthAccessResponse;

    public function view(User $user, Post $post): bool
    {
        return $user->id == $post->user_id;
    }

PostController.php

use IlluminateHttpRequest;
use AppModelsPost;
use AppModelsUser;
use DB;
use IlluminateSupportFacadesAuth;
use IlluminateViewView;

class PostController extends Controller
{
    public function __construct()
    {
        $this->middleware('auth');
    }


          public function edit(Request $request, Post $post, User $user,  $id)
      {


    $this->authorize('view', $user->post);
    $posts = DB::select('select * from posts where id = ?',[$id]);
     return view('post-edit', ['posts'=>$posts, 'user' => $request->user(),]);
    }
   
}

Models –> Post.php

use IlluminateDatabaseEloquentFactoriesHasFactory;
use IlluminateDatabaseEloquentModel;
use AppPoliciesPostPolicy;

class Post extends Model
{
    protected static function boot()
        {
        parent::boot();

        static::creating(function ($post) {
            $post->user_id = auth()->user()->id;
        });
        } }

Route.php

Route::get('post-edit/{id}/edit', [AppHttpControllersPostController::class, 'edit'])->name('post.show');
 Route::put('post-edit/{id}', [AppHttpControllersPostController::class, 'update'])->name('post.edit');
Tags:

2

Answers


  1. 0

    In edit() method, You are checking the policy for the ‘user->post’ instead of the ‘$post’ object

    $this->authorize('view', $post);
    Login or Signup to reply.
  2. 0

    There are some things wrong in your codes. It should be:

    public function edit(Request $request, $id)
{
   $post = Post::findOrFail($id);
   $this->authorize('view', $post);
   return view('post-edit', compact('post'));
}

    If you use Implicit Binding https://laravel.com/docs/10.x/routing#implicit-binding like below:

    Route::get('post-edit/{post}/edit', [AppHttpControllersPostController::class, 'edit'])->name('post.show');

    You can do:

    //The name of $post parameter is the same to the segment {post} 
public function edit(Request $request, Post $post)
{
   $this->authorize('view', $post);
   return view('post-edit', compact('post'));
}
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search