Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
For example i have a model A which has b, c, d fields. And my user can be a teacher or a student. All users can update model A but teacher can update all fields and student can only update field d. So should I create two APIs do the same job is update model A for each teacher or student. Or I just need to create only one API for both and add some if else statements to check if users have permissions to update specific fields. that they pass to body of request. Thank you.
@pthai-it-dev Use the same API but add validation to ensure only users with the appropriate permissions are submitting fields they can update.
You could use the prohibitedIf rule to prohibit setting a field if the authentication user does not have the correct permission: https://laravel.com/docs/9.x/validation#rule-prohibited-if
If a user tries to set a field they don’t have permission to, then they’ll get a validation error and the request rejected.
@martinbean Thank you for your answer!
Please or to participate in this conversation.