Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

mamulasa's avatar

Check Current Users Permission to update article

Hey, I am trying to master laravel fundamentals https://laracasts.com/series/laravel-5-fundamentals/episodes/14 ans stuck on something I can't figure out.

Can somebody point me into the right direction how to check if the current user is the owner of an article an has the permission to edit/update the article?

My ArticlesController is: class ArticlesController extends Controller {

public function __construct() {
  $this->middleware('auth');

}


public function index() {

  $articles = Article::latest('published_at')->published()->get();
  return view('articles.index')->withArticles($articles);
}

public function show($id) {

  $article = Article::findOrFail($id);

  return view('articles.show')->withArticle($article);
}

public function create() {

  return view('articles.create');
}

public function store(ArticleRequest $request) {


  $article = new Article($request->all());

  Auth::user()->articles()->save($article);

  return redirect('articles');
}

public function edit($id) {

  $article = Article::findOrFail($id);
  return view('articles.edit')->withArticle($article);
}
public function update($id, ArticleRequest $request) {
  $article = Article::findOrFail($id);
  $article->update($request->all());
  return redirect('articles');
}

}

and my ArticleRequest is: class ArticleRequest extends Request { /** * Determine if the user is authorized to make this request. * * @return bool */ public function authorize() { return true; }

/**
 * Get the validation rules that apply to the request.
 *
 * @return array
 */
public function rules()
{
    return [
        'title' => 'required',
        'body' => 'required',
        'published_at' => 'required|date'
    ];
}

}

Thanks in advance

0 likes
6 replies
DNAngel's avatar

My opinion is that include a user_id column in the article database, and then you may use relation to get the article user_id and check whether it is Auth::user()->id before allowing someone using the edit/update button.

jlrdw's avatar

That's actually a free video on using gate. Also there's the free tutorial that's right in the documentation.

kobear's avatar

Don't focus on the rules section of your custom Request class. Focus on the authorize section:

 /**
     * Determine if the user is authorized to make this request.
     *
     * @return bool
     */
    public function authorize()
    {
        // PUT YOUR AUTHORIZATION LOGIC HERE
    }
mamulasa's avatar

@kobear : Right now If I change the return from "true" to "false" inside authorize(), my view output is "Forbidden" even if I am the owner/creator of the article.

  public function authorize()
    {

    return false;
}

Any idea how to check if the current user is the owner?

Thanks again

mamulasa's avatar

OK, the only way I can solve it is:

public function edit($id) {

  $article = Article::findOrFail($id);

  $article_user_id = $article->user_id;
  $user = Auth::user();

  if ($article_user_id === $user->id) {
    return view('articles.edit')->withArticle($article);
  } else {
    return redirect('articles');
  }
}
kobear's avatar

Here is the way to do it within the authorize function

public function authorize(Request $request)
{
    $authArticle = Article::firstOrFail($request->id);
    if (Auth::user()->id === $authArticle->user_id)
    {
        return true;
    } else  {
        return false;
    }
}

Please or to participate in this conversation.