Authorize BEFORE validation rules (FormRequest)

@luddinus I imagine there’s a more appropriate validation rule you could use: https://laravel.com/docs/master/validation#available-validation-rules

@martinbean Which one?

@luddinus I don’t know, I don’t know what you’re wanting to do.

@luddinus I don’t know, I don’t know what you’re wanting to do.

Actually, authorization defines if it is okay for "authanticated user" to continue request life cycle. To implement a restriction logic on a user model getting from an input value, FormRequest authenticate function is not the place.

@ersinkandemir So, where would you put that logic?

class SomeRequest extends FormRequest {

   public function rules()
   {
      return [
         'user_id' => 'required'
      ];
   }

   public function authorize()
   {
    if (empty($this->user_id)) { // no user id provided
            return false; // not authorized
        }

      $user = User::find($this->user_id);

      // check something depending on the "user_id" method
      return true;
   }

}

Authorization method on the FormRequest does not require an authenticated user. It is only suggested as an example in the docs to check something with the authenticated user:

... Within this method, you MAY check if the authenticated user...

source: https://laravel.com/docs/5.2/validation#form-request-validation

The parent FormRequest class will just check if the return value from this method is either true or false to continue the request or throw an exception.

Just ran into this same problem and thought of a similar workaround. Semantically speaking, however, this is a bad solution. It's going to reply back with HTTP 403 when the issue isn't really related to authorization.