Menu
I am wondering how in laravel 4 the following is possible. I have a filter to check if a user is authenticate on all routes that have user/*. My filter works as it is suppose to but lets say that a user is logged in their url will look something like this user/id. How do I prevent an authenticated user from viewing another user?
692
another approach is to change your urls.. why have url like user/{id} ? just change it to for example
user/profile
and inside the controller do something like:
$user = Auth::user();
that way the user just cant fake is id.. i only use urls with the id in the admin area where i need to edit some user:
/admin/{id}/edit
In your Auth filter you can access the route parameter ('user/{id}') and can check logged in user's id with the id passed in the url like
Route::filter('auth', function($route)
{
// get the id from rouqe
$id = $route->getParameter('id');
if( Auth::check() && Auth::user()->id != $id) {
// not authenticated user, so access is denied
return Redirect::to('/');
}
});
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
