topvillas

The UUID is accessible on the client either way.

You can make things much simpler by checking if the logged in user is the owner of the resource when they try and update it.

pickab00

How to achieve this? Could you link me to the right direction

calder12

In your update method check the logged in user vs the post owner. For example if your post has a user_id you could do something like this

if( Auth::user()->id === $post->user_id ) {
 //Do your update code here
} else {
  //Return some error here
}


pickab00

Will this prevent from updating using the inspect element action? I mean if someone goes to inspect element and change the /{uuid} to some other posts uuid which does not belong to that user?

calder12

Yes, because they won't own the post, this is done in the update method, how that method gets the data, even if they just sent a direct post request makes no difference.

pickab00

Thanks this is exactly what i needed

Please sign in or create an account to participate in this conversation.