vendredi 30 octobre 2015

Should I check for permission on controller if already checking on middleware?

I created a middleware that checks if the user is authorized to perform an action and added this middleware to the routes that I want to protect like this:

// VerifyPermission middleware

class VerifyPermission {

    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request $request
     * @param  \Closure $next
     * @param $permission
     * @return mixed
     */
    public function handle($request, Closure $next, $permission)
    {
        $user = auth()->user();

        if (auth()->check() && $user->hasPermission($permission))
        {
            return $next($request);
        }

        return redirect('/');
    }
}

// Routes

Route::patch('company/{id}', ['as' => 'updateCompany',
                              'uses' => 'SettingsController@updateCompany',
                              'middleware' => 'permission:manage_company']
);

My question is, is it necessary to make another check on updateCompany or is the middleware check sufficient?

public function updateCompany()
{
    if(Auth::user()->hasPermission('manage_company'))
    {
        // Updates Company
    }   

    return abort(403, "Unauthorized");
}



via Chebli Mohamed

Aucun commentaire:

Enregistrer un commentaire