Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Hi everyone,
I'm not sure where to post this, I've got no problems but I'd wonder if I could optimize my code, so here is the thing.
I've got a model called 'Promotion' which is a sort of a container. To view a promotion a user must have the authorization according to his role and his company.
For the promotion owner this is just a simple verification like promotion->owner_id === user->id so no problem
My concern is for the real estate agents, they can view a promotion only if their company has been attached to the promotion via a 'Mandat'. So if I'm listing all the promotions on a page, for each row the gate will query the database like
select * from `mandats` where `mandats`.`promotion_id` = X and `mandats`.`promotion_id` is not null and `company_id` = Y limit 1
Is there a better way using the authorization when there are queries ? Is there any other solutions ?
Thanks
You could look at query scopes:
https://laracasts.com/discuss/channels/laravel/security-in-controller
https://laravel.com/docs/5.8/eloquent#query-scopes
To note, a scope can be in db facade, but usually better suited for eloquent. But basically you are just returning query results.
@jlrdw I already think to use a scope to filter the programmes the user can access. It limits the verification you're right. I've never used the global scope and it works really fine, thanks for the suggestion.
The only problem with the global scope (well it's not a big problem) is when i try to access a programme I shouldn't I receive an 404 not found error instead of a 403 unauthorized.
Please or to participate in this conversation.