I'm a bit confused with what is the best way to use the Policy classes in Laravel.
Lets say I have a User and a Post, I have a policy method when updating a post that checks that a User owns the post.
Should I pass the Post object into the authorize method immediately after loading it from the database? Or once I have updated the fillable values?
My issue is that if the user_id changes on the Post, either the authorize method will allow the user to change the post even if they do not own it, or it will allow them to change the user to someone else, meaning they lose access to it.
Does this mean I need to call $this->authorize('update', $post) both before and after I update its values?
$post = Post::findOrFail($id);
$this->authorize('update', $post); // Should I call it here
$post->fill($request->input());
$this->authorize('update', $post); // Or here? Or, both places?
Alternatively, should I be using Request Validation to ensure that the user cannot enter IDs of entities they cannot access?
via Chebli Mohamed
Aucun commentaire:
Enregistrer un commentaire