Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Hi, just started learning laravel here. My database tables are Users, Stores and Categories. One user can create multiple stores and each store can has multiple categories. Stores database table has a foreign key of user_id, Categories database table has a foreign key of store_id.
Here are my category api routes:
Route::group(['middleware' => 'auth:sanctum'], function (){
Route::post('/logout', [AuthController::class, 'logout']);
Route::get('/store', [StoreController::class,'index']);
Route::post('/store', [StoreController::class, 'store']);
Route::get('/store/{id}', [StoreController::class,'show']);
Route::put('/store/{id}', [StoreController::class,'update']);
Route::delete('/store/{id}', [StoreController::class,'destroy']);
Route::get('/store/{storeid}/category', [CategoryController::class,'index']);
Route::post('/store/{storeid}/category', [CategoryController::class,'store']);
Route::get('/category/{id}', [CategoryController::class, 'show']);
Route::put('/category/{id}', [CategoryController::class, 'update']);
Route::delete('/category/{id}', [CategoryController::class, 'destroy']);
});
User 1 has user_id =1, store_id = 1, category_id = 1 and 2
User 2 has user_id=2, store_id = 2, category_id = 3 and 4
My question is if I login as User 2 and PUT '.../api/category/1' to edit, it will still update as Categories database table does not have user_id column for me to check if it is belong to user 1 or user 2. I know I can add a user_id column to Categories database table but is there any other way I can prevent the user to edit it? Thankyou in advance!
https://laravel.com/docs/9.x/authorization
you could use Gates, Policy classes or simple if statements
public function update(Request $request, Store $store)
{
if ($store->user_id !== auth()->id()) {
return 'Unauthorized';
}
}
Please or to participate in this conversation.