Authorize on form request or middleware

Not sure what you're meaning exactly, but "authorization" typically takes place in a policy or gate: https://laravel.com/docs/5.6/authorization

You're mentioning authentication and authorization, and they are kinda 2 different things.

Sorry, i totally meant to say authorization, check if someone owns a resource. Thanks for answering, i'll read that.

Authentication just means some user no matter what the level is now logged in.

But the form you were talking about if that particular user is not authorized then that form should not even show up for them.

Authorization is pretty complex and can go pretty deep.

Just my simple explanation and the way I see it.

Of course Authentication can be used alone for a system with just simple users and admin where as authorization just lets you start using roles permissions Etc.

I believe the OP meant to say should he perform authorization on specific endpoints by putting the can middleware on route declaration or by checking if the user is authorized to perform a request in authorize method of the form request object. Example:

Route::post('/resource/{resource}', 'action')->middleware('can:update-resource');

// or

class UpdateEndpoint extends FormRequest // inject this guy into the controller method
{
    public function authorize()
    {
        return Auth::user()->can('update-resource');
    }
}

I tend to use both. Why? Because of the reasons you said. If I use only form requests, there would need to be a request instance on each method of the controller, so I use middleware to keep it tidy. I also like to perform the check on Form Request on POST/PUT/DELETE requests just to make sure other developers reading the code can easily see what's going on.

BTW, you can use $this->authorize('update-resource', $resource) in your controllers, this is also a nice way to do that ;)