Is it recommended to write Insert / Update / Delete Authorization code in the same Request class?

Question

Is it recommended to write Insert / Update / Delete Authorization code in the same Request class?

I am writing below code in the request class for verification and authorization. Thus, the code below is for adding / updating entries.

<?php

namespace App\Http\Requests;

use App\Http\Requests\Request;

class UserRequest extends Request
{
    public function authorize()
    {
        return \Auth::user()->isAdmin();
    }

    public function rules()
    {
        return [
            'UserName' => 'required|max:50|min:3|unique:tbluser,UserName,' . 
                                                     \Request::get( 'UserID' ) . ',UserID',
        ];
    }
}

My question is: Do I have to write code to check if the current user is allowed or not to delete the entry. For this, should I use the same request class that is used to add / update or another class specifically for delete authentication? If I use the same class, then the rules () intended to add / update will be executed

+4

php laravel laravel-5.1 laravel-5.2

Pankaj Mar 16 '16 at 11:59

source share

3 answers

Douwe de Haan · Answer 1 · 2016-03-21T10:07:45+0000

:

<?php

namespace App\Http\Requests;

use App\Http\Requests\Request;

class UserRequest extends Request
{
    /**
     * Determine if the user is authorized to make this request.
     *
     * @return bool
     */
    public function authorize()
    {

        switch ($this->method()) {

            // Show single record or multiple records
            case 'GET':
            default:
                return true;
            break;

            // Change a record
            case 'POST':
            case 'PUT':
            case 'PATCH':
            case 'DELETE':
               if(\Auth::user()->isAdmin()) {
                   return true;
               }
               return false;
            break;
        }
    }

    /**
     * Get the validation rules that apply to the request.
     *
     * @return array
     */
    public function rules()
    {
        switch ($this->method()) {
            case 'GET':
            case 'DELETE':
                return [];
            break;

            case 'POST':
                return [
                    'UserName' => 'required|max:50|min:3|unique:tbluser,UserName'
                ];
            break;
            case 'PUT':
            case 'PATCH':

                return [
                    'UserName' => 'required|max:50|min:3|unique:tbluser,UserName,' . 
                                                                         \Request::get( 'UserID' ) . ',UserID',
                ];
            break;
            default:
            break;
        }
    }
}

, , . get ( - ) . ( ) .

Ivan Yarych · Answer 2 · 2016-03-25T21:02:52+0000

Laravel authorize() true. :

namespace App\Http\Controllers;

use Auth;
use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
use Illuminate\Foundation\Bus\DispatchesJobs;
use Illuminate\Foundation\Validation\ValidatesRequests;
use Illuminate\Routing\Controller as BaseController;

class Controller extends BaseController
{
    use AuthorizesRequests, DispatchesJobs, ValidatesRequests;

    public function authorizeSameOwner($entity)
    {
        if (Auth::user()->is_admin) {
            return;
        }
        $this->authorize("same-owner", $entity);
    }
}

authorize() , AuthServiceProvider. :

namespace App\Providers;

use Illuminate\Contracts\Auth\Access\Gate as GateContract;
use Illuminate\Foundation\Support\Providers\AuthServiceProvider as ServiceProvider;

class AuthServiceProvider extends ServiceProvider
{
    /**
     * The policy mappings for the application.
     *
     * @var array
     */
    protected $policies = [
    ];

    /**
     * Register any application authentication / authorization services.
     *
     * @param  GateContract  $gate
     * @return void
     */
    public function boot(GateContract $gate)
    {
        $this->registerPolicies($gate);

        $gate->define("same-owner", function ($user, $entity) {
            if ($user->is_admin) {
                return true;
            }

            if (method_exists($entity, "getOwnerId")) {
                $ownerId = $entity->getOwnerId();
            } else {
                $ownerId = $entity->owner_id;
            }
            return $user->id === $ownerId;
        });
        $gate->define("same-user", function ($user, $entity) {
            return $user->is_admin || $user->id === $entity->id;
        });
    }
}

:

/**
 * Update the specified resource in storage.
 *
 * @param  StayRequest  $request
 * @param  Stay $stay
 * @return Response
 */
public function update(StayRequest $request, Stay $stay)
{
    $this->authorizeSameOwner($stay);

    $stay->update($request->all());

    return redirect()->route("stays.index");
}

/**
 * Remove the specified resource from storage.
 *
 * @param  Stay $stay
 * @return Response
 */
public function destroy(Stay $stay)
{
    $this->authorizeSameOwner($stay);

    $stay->delete();

    return redirect()->route("stays.index");
}

Israel Ortuño · Answer 3 · 2016-03-25T23:35:16+0000

, , . , , , .

, , , Laravel, .

, , , . CreateUserRequest , , ... .

If you think that some of these actions can be resolved by the same rule ( isAdminin this case), you can also create an abstract AdminRequest that will handle this authorization. Again, if the system is not complicated at all.

Is it recommended to write Insert / Update / Delete Authorization code in the same Request class?

More articles: