Reputation: 2908
Laravel Access Control with Model Objects
I need to restrict the access to some parts of the application depending on the user logged in. I mean for example to let a user edit only its own posts on a blog application.
Is there a better approach than in every function of the controller, if the user is not the owner of the required post, redirect to some error page?
For example if my routes are /post/{post_id}/edit, /post/{post_id}/preview, /post/{post_id}/delete, can I somehow declare a general function in the PostController like:
if(Post::find($post_id)->user_id != Auth::user()->id){
return View::make('access-error');
}
Thanks!
Upvotes: 3
Views: 701
Answers (2)
Reputation:
In your controller you can do something like this:
public $check = ['edit', 'preview', 'delete'];
public function callAction($method, $parameters) {
if(in_array($method, $this->check, true) &&
$post_id = $parameters['post_id'] &&
Post::find($post_id)->user_id != Auth::user()->id) {
return View::make('access-error');
}
return parent::callAction($method, $parameters);
}
Upvotes: 1
Reputation: 3467
You could throw a 401 error and catch it elsewhere to display a custom page
App::abort(401);
http://laravel.com/docs/4.2/errors#handling-404-errors
Upvotes: 0
Related Questions
- Laravel blade: Access method inside User model for authorized user
- Model access in Laravel > 5
- How to protect Laravel model properties
- Row based Access control for Laravel Results
- model permissions - laravel fillable
- Access control to different users - Laravel 5.2
- Filter user's access on request based on Laravel's model
- How to implement user permissions in Laravel 4?
- Access Control List (ACL) for specific object
- Laravel 4 Model Methods access