Reputation: 191
How do I say Laravel that if thread belongs to this user, alow him to
I'm doing a blog with Laravel Framework and I allready have a Login/Register and a thread section. In my Blog you just can edit a thread if you're logged in. Now I have the problem that if I'm logged in, I can edit and delete every thread. It doesn't matter if it's my thread or if it is from another user. Well now I need something to say my laravel code that I'm just allowed to edit/dekete my own threads.
I've found this: https://laravel.com/docs/5.2/authorization#defining-abilities
But I don't really understand how I implement this to my code. And do I need a in my database any reference? like this user belongs to this thread?
Well I'm kind of new in laravel.. I hope someone can help me
PS: I'm sorry for my bad english, I'm from germany.
Edit/Update/Delete function:
public function edit($id)
{
$thread = Thread::query()->findOrFail($id);
return view('test.edit', [
'thread' => $thread
]);
}
public function update($id, StoreRequest $request)
{
$thread = Thread::query()->findOrFail($id);
$thread->fill($request->all());
$thread->save();
return redirect(action('Test\\TestController@show', [$thread->id]));
}
public function destroy($id)
{
$thread = Thread::query()->findOrFail($id);
$thread->delete();
return redirect(action("Test\\TestController@index"));
}
my thread model:
public function user() {
return $this->belongsTo(User::class, "name");
}
How I add a new thread:
If I press "add thread" I'm getting directed to my add function in my controller:
add function:
public function add()
{
return view('test.add', [
'entries' => Thread::query()->get()
]);
}
in my add.blade I have my formular and this formular directs me to my "store function " in my controller:
store function:
public function store(StoreRequest $request)
{
Thread::create($request->all());
return redirect(action('Test\\TestController@index'));
}
Upvotes: 2
Views: 359
Answers (1)
Reputation: 7381
You can attach the user_id to the thread so anytime you want to update or delete you check if the current logged in user bears that user_id then you do accordingly.
add user_id to threads table
Then in your save function() do this.
public function save(Request $request){
$thread = new Thread;
$thread->user_id = Auth::user()->id;
// rest of fields goes here
$thread->save();
}
then in your edit, update or delete function
public function edit($id)
{
$thread = Thread::query()->findOrFail($id);
// You can use laravel authorization/policies to achieve this too
if($thread->user_id != Auth::user()->id){
// Return to view with your custom error message telling
// the user he is not authorized to edit this thread
}
return view('test.edit', [
'thread' => $thread
]);
}
public function update($id, StoreRequest $request)
{
$thread = Thread::query()->findOrFail($id);
// You can use laravel authorization/policies to achieve this too
if($thread->user_id != Auth::user()->id){
// Return to view with your custom error message telling
// the user he is not authorized to edit this thread
}
$thread->fill($request->all());
$thread->save();
return redirect(action('Test\\TestController@show', [$thread->id]));
}
public function destroy($id)
{
$thread = Thread::query()->findOrFail($id);
// You can use laravel authorization/policies to achieve this too
if($thread->user_id != Auth::user()->id){
// Return to view with your custom error message telling
// the user he is not authorized to delete this thread
}
$thread->delete();
return redirect(action("Test\\TestController@index"));
}
Upvotes: 2
Related Questions
- How can I remove a package from Laravel using PHP Composer?
- How do you kill a Thread in Java?
- No query results for model [App\UserModel] 0 [ Laravel ]
- How do I can say Laravel that if the thread belongs to this user, allow him to edit or delete the thread?
- Laravel Custom User Roles & Permissions based on routes
- Controller method not called in laravel 4