Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Laravel prevent users from editing/viewing other users' resources

Tags:

php

laravel

In my laravel app I have multiple user accounts who have resources that are assigned to them. Say, for example, a "payment". To edit or view a payment a user would visit the /payment/edit/{payment} route (where payment is the payment ID).

Although I have an auth filter to stop un-logged in users from accessing this page there is nothing to stop, for example, user 1 from editing user 2's payment.

Is there a filter I can user that checks which user a payment (or any other resource) belongs to prevent this kind of issue?

[I am using Laravel's model bindings which automatically fetches the model specified by the route rather than me get it in the controller using eloquent.]

like image 651
harryg Avatar asked Mar 20 '23 02:03

harryg

2 Answers

No such filter exists by default, however you can easily create one (depending on how your database is set up). Within app/filters.php, you may do something like this:

Route::filter('restrictPermission', function($route)
{
    $payment_id = $route->parameter('payment');

    if (!Auth::user()->payments()->find($payment_id)) return Redirect::to('/');
});

This compares the currently logged in user's payment_id (in your database) to the {payment} argument passed into the route. Obviously, depending on how your database is set up (for instance if the payment_id is in a separate table) you need to change the conditional.

Then, apply the filter to your route:

Route::get('/payment/edit/{payment}', array('before' => 'restrictPermission'));
like image 143
seeARMS Avatar answered Mar 27 '23 16:03

seeARMS

One way is to place a where statement in every relevant query. Although not very pretty, it works.

$payment = Payment::where('user_id', '=', Auth::user()->id)->find($id);

It's also possible to use url filters like seeARMS is suggesting, however I think it's not very elegant. The most logical place to nest such logic is in the model itself. One possibility is to use model events, but this gives you only the option to intercept update, insert or delete statements, not selects. This might change in the future. Maybe you could use boot() event, but I'm not sure if this is gonna work.

Last but not least you could use query scopes. 

class Payment extends Eloquent {

    public function scopeAuthuser($query)
    {
        return $query->where('user_id', '=', Auth::user()->id);
    }
}

and in the queries you attach the scope

Payment::authuser()->find($id);

You could do this on a base Model and extend from it, so you have that method in all your relevant models.

like image 35
aebersold Avatar answered Mar 27 '23 16:03

aebersold
Sign in to Comment

Related questions

Access array's values by its key
How to avoid page refreshing on anchor (<a></a>) tag click?
Yii CGridView filter on button click
PHP - Is there a way to "include" a string as a file?
Get array elements 3 by 3 using foreach
fat free framework find and cast
Routing issue with Laravel, AngularJS and CORS
How to get number of digits in both right, left sides of a decimal number
Editing Magento order confirmation email
Opencart Get Category URL based from Category ID
Asynchronous popen exec in PHP on Windows
difference between E_ALL ^ E_NOTICE and E_ALL & ~E_NOTICE
Codeigniter: Unable to create thumbnail for multiple images
Can I change the iframe src according to the url?
WordPress: Custom Post Type, Send Data to "register_meta_box_cb" Arg
Laravel 4 remove Index.php from URL
Barcode reader calling submit function in my form
Is it possible to terminate a code part when it's execution time is getting longer than a specified time limit?
Php: Add variable amount days to Y-m-d date format
php challenge: parse pseudo-regex

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!