CODEWITHSUNDEEP
phpdatabaselaravelauthentication
ItzMe488
ItzMe488

Reputation: 191

How do I can say Laravel that if the thread belongs to this user, allow him to edit or delete the thread?

well my headline pretty much says everything I need. I'm building a little website for me, just to learn the laravel framework. I created a login/register and some functions to do a thread or to delete/edit the thread. My current problem is, that it doesn't matter if the user who is logged in, is the same who wrote a thread. Just the fact that the user is logged in, allows him to edit or delete every single thread on my webpage. Thats of course not like it should be... Thats why I like to get the realation that says: If the user who is logged in, have some threads, then allow him to delete or to edit his own threads. If the user isn't the one who wrote the thread, then don't show him the option to delete or to edit the thread at all.

now this is my current HTML -- or better a snipped of it: 

   @if( Auth::check())
        <div class="panel-footer">
            {!! Former::horizontal_open()->method('DELETE')->action(action("Test\\TestController@destroy", $thread->id))->id('conf') !!}
            {!! Former::danger_submit('Delete') !!}
            {!! Former::close() !!}

            <a href="{{ URL::route('edit', $thread->id) }}">
            <div class="btn btn-primary">Edit</div>
            </a>
        </div>
    @endif
    </div>
    <a href="#">
        <div class="btn pull-right"><a href="{{ action('Test\\TestController@index') }}">Go back</a></div>
    </a>

So this just check if the user is logged in, if not, he don't see the edit / delete button. If he is logged in, of course he see them.

Now I need a code to say if he is the same who wrote the thread, then allow him to edit/delete it.

Well, I really don't know how I can do this and I haven't really found something for this..

I have two models. One for all the threads and one for all the users.

I did a 'belongsTo' realation in my thread model, and said that it belongs to the name attribute in my user table.

Thread Model: 

<?php
namespace App\Models\Thread;

use Illuminate\Database\Eloquent\Model;

class Thread extends Model {
    public $table = 'thread';
    public $fillable = [
        'thread',
        'content',
    ];

    public function user() {
        return $this->belongsTo(User::class, "name");
    }
}

User Model:

<?php
namespace App\Models\Thread;

use Illuminate\Database\Eloquent\Model;

class User extends Model {
    public $table = 'users';
    public $fillable = [
        'name',
    ];
}

well.. I'm stuck, I hope someone can help me with this.

Thanks for any help and support

Other Code parts my can help: 

Route::get('/show/{id}', 'Test\\TestController@show');
Route::get('/show/{id}/edit', 'Test\\TestController@edit')->name('edit');
Route::put('/show/{id}/edit', ['as' => 'editing', 'uses' => 'Test\\TestController@update']);
Route::delete('/show/{id}', 'Test\\TestController@destroy')->name('destroy');

thats all the route I have to show just the thread, or to delete/edit the thread

Controller: that is the show function that gives me the view with the buttons:

  public function show($id)
    {
        $thread = Thread::query()->findOrFail($id);
        return view('test.show', [
            'thread' => $thread,
        ]);
    }

Upvotes: 1

Views: 392

Answers (2)

Diego Vidal
Diego Vidal

Reputation: 1057

I think the best way of doing what you want is using the Request class. You just need to create a new Request:

<?php
namespace App\Http\Requests;

 /** Remember to include here the classes you are using, 
  *  in your case it would be something like this:
  */
use App\Models\Thread;
use Auth;

class EditThreadRequest extends Request {
   /**
    * Determine if the user is authorized to make this request.
    *
    * @return bool
    */
    public function authorize()
    {
      /**
        * You can get the thread id from your view
        * using for example a hidden input
        * {!! Form::hidden('id', $thread->id) !!}
        */
      $thread = Thread::findOrFail($this->get('id'));
      return $thread->user->id === Auth::user()->id;
    }

   /**
    * Get the validation rules that apply to the request.
    *
    * @return array
    */
    public function rules()
    {
      return [
         // Your validation rules
      ];
    }
}

The above function will return true in case that thread belongs to that user, allowing the user to continue with the request.

After this you just need to include the freshly created request in your edit function like this and it will automatically check if user can edit the thread:

public function edit (EditThreadRequest $request)
{
  // Your code
}

Hope this helps!

Upvotes: 1

Dees Oomens
Dees Oomens

Reputation: 5082

You could use Laravel's ability system.

Or when editing your thread in the controller you could do something like this:

$thread = Thread::findOrFail($thread_id);

if (!Auth::check() &&
    $thread->user()->first()->id != Auth::user()->id) {
    abort(404); // Stop the user
} else {
    // Edit the threat
}

EDIT TO YOUR EDIT:

Does this work out for you?

public function show($id)
{
    $thread = Thread::findOrFail($id);

    if (!Auth::check() &&
        $thread->user()->first()->id != Auth::user()->id) {
        abort(404); // Stop the user
    }

    return view('test.show', [
        'thread' => $thread,
    ]);
}

Upvotes: 1

Related Questions