REST API - Limit resources based on authenticated user

I’m starting with Laravel to build a REST API for a multi-tenant application. (The instance of the application is used by multiple organisations/users.)

Each user belongs to an organisation. Organisations can have multiple locations, and they can specify which users have access to which locations. Other resources can either belong to the organisation as a whole, or to specific locations.

Let’s say I have a resource “Photo”, and each photo belongs to a location. As such, a photo may only be accessed by users from the same organisation, with access to the photo’s location.

How can I best implement this? Both for collections (/api/photos) and single resources (/api/photos/17)?

I’ve read about guards, but it seems that they only make sense for single resources. What other method makes sense?

mabdullahsari

6 years ago

Best Answer

Level 16

Guards are meant to define how Laravel should store and retrieve information regarding (authenticated) users. e.g. web, api are standard guards shipped with Laravel. You could create your own nova guard if you use Laravel Nova etc.

You'll probably need Policies in your case, see https://laravel.com/docs/6.x/authorization#creating-policies.

A user will have an ability to do something, let's say update a Photo. But to be able to do so, the user should belong to the same organisation as the Location.

In other words:

    public function update(User $user, Photo $photo)
    {
        return $user->organisation_id === $photo->location->organisation_id;
    }

1 like

jnthn

6 years ago

Level 1

Thanks! That makes sense.

And how would this work for the index methods (GET /api/photos)? As it should only return the allowed photos.

Should I manually apply the restrictions in the index() method (like Photos::where('organisation_id', …)->get(

In that case, these policies would have to be implemented several times in separate places…

1 like

Please or to participate in this conversation.