skip to Main Content

I want a middleware on my website for: People can edit their own posts but others posts. I tried this:

I get all posts that have the same post->user_id and user_id

$matches = Post::where('user_id', auth()->user()->id);

This gives back an array of posts that match the condition

Now what I want is to check if you are on a post that matches this condition, if the post->user_id and user_id do not match abort.

This is what I have, but you still can get on posts where the condition is NOT met.

if (!$matches){
    abort(403);
}

return $next($request);

Abort when the criteria is not met and return the request when it is met

2

Answers


  1. If you’re inside a post, I guess you will get the Post ID inside your request as well. Something like http://127.0.0.1:5500/posts/1

    Then you can get both Post and User ID. Use both values to determine whether the user has authorized the post or not.

    Example:
    Assume you have added the post ID URL Param as post_id

    $match = Post::where('user_id', auth()->user()->id)->where('id', $request->route('post_id'));
    
    if (!$match){
       abort(403);
    }
    
    
    return $next($request);
    
    
    Login or Signup to reply.
  2. Instead of using middleware why not use the Policy, and since you will edit a post you can also use the Form Request. I suggest you to use Form Request
    then edit the authorize() and add the condition there.

    Okay lets say you are using Route Model Binding

    //route
    
    Route::put('/post/{post}', ['PostController','update']);
    
    //controller
    
    public function update(Post $post, UpdatePostRequest $request) {...}
    
    

    You can directly check if the user is the owner inside the authorize(). Assuming that you define the relationship between the post and user

    // appModelsUser.php
    public function posts() : HasMany {...}
    
    // appModelsPost.php
    public function user() : BelongsTo {...}
    
    //request
    class UpdatePostRequest extends FormRequest
    {
        /**
         * Determine if the user is authorized to make this request.
         *
         * @return bool
         */
        public function authorize()
        {
            //true if the Auth::user() own the post. otherwise false.
            return $this->post->user()->is(Auth::user());
        }
    
        /**
         * Get the validation rules that apply to the request.
         *
         * @return array<string, mixed>
         */
        public function rules()
        {
            return [
                // Your validation rules
            ];
        }
    
    

    It works if you will update the post but if just want to prevent the user from accessing the post they do not own. put this in your middleware.

    if(! $request->post->user()->is(Auth::user())) {
        abort(403);
    }
    
    return $next($request);
    
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search