Laravel 5 Middleware "Owner"?

Question

I'm having a trouble with creating the "owner" middleware.

For example, I have a Articles and Usermodel associated with user_id key.

I want to add the "owner" middleware to the ArticlesController, so the only owner of that article can edit, update and delete it.

I've been searching for this issue for a while, but never found the code, which would work. Some of them tried to make it work with Form Requests, but I'm interested in using Middleware.

Answer 1

1. Create middleware:

php artisan make:middleware OwnerMiddleware

namespace App\Http\Middleware;

use App\Article;
use Closure;
use Illuminate\Contracts\Auth\Guard;

class OwnerMiddleware
{
    /**
     * The Guard implementation.
     *
     * @var Guard
     */
    protected $auth;

    /**
     * Create a new filter instance.
     *
     * @param  Guard  $auth
     * @return void
     */
    public function __construct(Guard $auth)
    {
        $this->auth = $auth;
    }

    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @return mixed
     */
    public function handle($request, Closure $next)
    {
        $articleId = $request->segments()[1];
        $article = Article::findOrFail($articleId);

        if ($article->user_id !== $this->auth->getUser()->id) {
            abort(403, 'Unauthorized action.');
        }

        return $next($request);
    }
}

2. Add it to app\Http\Kernel.php:

protected $routeMiddleware = [
    'owner' => 'App\Http\Middleware\OwnerMiddleware',
];

3. Use middleware in your routes:

Route::group(['middleware' => ['owner']], function() {
    // your route
});

Answer 2

Alternatively you could use route and middleware parameters, it has some advantages:

• Even if the request structure changes your middleware would still work
• The middleware is reusable for differents resources
• You can use it inside controllers

Here’s the middleware (app/Http/Middleware/AbortIfNotOwner.php):

<?php

namespace App\Http\Middleware;

use Closure;

class AbortIfNotOwner
{
    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @param  string    $resourceName
     * @return mixed
     */
    public function handle($request, Closure $next, $resourceName)
    {
        $resourceId = $request->route()->parameter($resourceName);

        $user_id = \DB::table($resourceName)->find($resourceId)->user_id;

        if ($request->user()->id != $user_id) {
            abort(403, 'Unauthorized action.');
        }

        return $next($request);
    }
}

Inside app\Http\Kernel.php:

protected $routeMiddleware = [
     'owner' => 'App\Http\Middleware\AbortIfNotOwner',
];

Inside your route file (app/Http/routes.php):

Route::group(['middleware' => ['owner:articles']], function() {
    // your route
});

And optionally call it in the controller:

public function __construct()
{
    $this->middleware('owner:articles', ['only' => ['edit', 'update']]);
}