Yep that is the right fix, thanx @Corez64 !

Ok, it seems when you loop over an instance of Request it will loop through the query string, which does make sense. So when you want to loop through the parameters that have been passed into your routes you have to explicitly specify that.

Glad it works!

I find it necessary to have a "Owner" middleware that I can re-use in every controller. And since i also use route-model binding, what i do in my Owner middleware is simply:

public function handle($request, Closure $next)
{
    $model = array_values($request->route()->parameters())[0];

    if ($model->user_id != auth()->user()->id)
    {
        // abort
    }

    return $next($request);
}

IMO, this is better than writing a FormRequest for every request (some of which don't deal with forms)

Hi,

This is an old question but once I sorted out ownership with middleware I realized that your answers are valid for this question but they do not provide full solution to the problem.

The question is about ownership middleware but In fact it is about ownership of resource and how to set it up. As @willvincent pointed out the correct answer is Policies: https://laravel.com/docs/master/authorization#introduction the middleware is only a small part of what you can do and how you can do it.

Here is whole series related to this topic: https://laracasts.com/index/authorization