CODEWITHSUNDEEP
phplaravel
S.A.Th.
S.A.Th.

Reputation: 53

Pass current user to route in Laravel?

I'm trying to make a "Profile settings" section in an application. The thing is, I learned how to do this the "Admin" way, the route would be /users/{user}/edit, the would call the edit method on the controller and it would return the edit view. There I would have a form which the user would patch to the route users/{user} and it would call the update method on the controller.

But I don't want anyone editing other users, so I'd like to know if there's a way to limit this route to the current user only.

Thanks in advance.

Upvotes: 0

Views: 2586

Answers (3)

Gadzhev
Gadzhev

Reputation: 442

Since version 5.1 Laravel has Policies which are exactly what you need.

You can create a new policy by typing in command:

php artisan make:policy UserPolicy

In your UserPolicy class you can include the following method:

public function updateProfile(User $user, User $updatedUser) {
    return $user->id === $updatedUser->id;
}

Please note: The first parameter $user is resolved automatically behind the scenes and is the currently logged in user. When checking the policy through the Gate facade in your application you need to pass only the second parameter $updatedUser.

Then you need to register your policy in the AuthServiceProvider:

use Acme\User;
use Acme\Policies\UserPolicy;
...

class AuthServiceProvider extends ServiceProvider {

protected $policies = [
    User::class => UserPolicy::class
]

Now when you have your policy registered you can check it across your app using the Gate facade like so:

if(Gate::allows('updateProfile', $user)) {
    // Your logic goes here
}

Or the other approach with I like more using the denies method and include it at the beginning of my controller methods and return http error:

public function edit($id) {
    if(Gate::denies('updateProfile', $user)) {
        abort(403, 'You do not have permissions to access this page!');
    }

    // The check is passed and your can include your logic
}

You can also check for permissions in your blade files using can and cannot like so:

@can('updateProfile', $user)
// Show something only to the user that can edit the $user's profile
@endcan

For more info check the docs.

Upvotes: 1

Iftikhar uddin
Iftikhar uddin

Reputation: 3192

In the view there should be a button or link, on click pass the ID to the desired route that's it.

Example:

For Grabbing the current logged in User id you should do like

$user = Auth::user()->id;

And directly in the route you can get it like

<a href="{{ url('route', Auth::user()->id;  }}">Edit</a>

Now when someone clicks on the Edit Button/Link, the route will look like route/currentuserid.

Upvotes: 1

Simon Davies
Simon Davies

Reputation: 3684

you should not need to pass in the user id as there user is already logged in and there for should be able to edit themselves, thus only targetting the logged in user.

So you can use the routes /user/editand /user/updateetc

Just get the current user details like 

   Auth::user()->id

or something else like 

   $user = Auth::user();

Thus only the logged in user (themselves) can be edited.

Upvotes: 1

Related Questions