Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

lukeboy_2002's avatar

UserPolicy

Hi,

I have a question. I have users. My users must be invited by a member. The user can edit his or her model and I want that members that have a permission to update a user can edit the model. The permission is assigned the role admin and a permission can be assigned to a member. For roles and permissions I use Spatie.

In my blade code I have.

@if( ($user->username) == auth()->user()->username || auth()->user()->hasPermissionTo('update:user') )
	<x-link.button-icon href="{{ route('users.edit', $user->id) }}" class="bg-blue-900 p-2">
		<x-heroicon-o-pencil-square class="size-4"/>
	</x-link.button-icon>
@endif

So far so good. the user who is logged in can edit his model and no

In my UserPolicy

    public function update(User $user, User $model): bool
    {
        return $user->hasPermissionTo('update:user') || (auth()->check() == $user->id);
    }

But now the logged in user can update all members.

What am I missing

0 likes
2 replies
LaryAI's avatar
LaryAI
AI
1 year ago
Level 58

It looks like there is a small mistake in your UserPolicy method. The issue is with the condition that checks if the logged-in user is the same as the user being updated. You are using auth()->check() which returns a boolean indicating if the user is authenticated, not the user's ID. Instead, you should use auth()->id() or directly compare the $user object with the $model object.

Here's the corrected update method in your UserPolicy:

public function update(User $user, User $model): bool
{
    return $user->hasPermissionTo('update:user') || $user->id === $model->id;
}

In this corrected version:

  • user->hasPermissionTo('update:user') checks if the user has the permission to update any user.
  • $user->id === $model->id checks if the logged-in user is the same as the user being updated, allowing users to update their own profile.

This should ensure that only users with the appropriate permission or the user themselves can update the user model.

jamesbuch's avatar

The AI bot is correct, or mostly correct, but maybe the kicker is the or vs and condition?

public function update(User $user, User $model): bool
{
        return $user->hasPermissionTo('update:user') || (auth()->check() == $user->id);
}

This checks if has permission to update user model (any) and the answer is yes when update:user is given, so if they have that permission, this will always return true for any user model.

auth()->check() checks to see if someone is logged in or not, and so this condition will not be checked if they have the update user permission, and in any case, it's comparing a boolean to $user->id, usually integer, but may be uuid or whatever you might be using.

I think you really meant the authorized user id is equal to the user model's id, in other words, can they update the user OR is the logged in user id equal to the model's user id. Is that what you wanted? Because if they have $user->hasPermissionTo('update:user') then this condition will always be true, regardless of $user->id and $model->id being strictly equal. Use === for that.

If you are looking for has permission with 'update:user' AND $user->id being equal to the passed in user $model->id, then use:

public function update(User $user, User $model): bool
{
    return $user->hasPermissionTo('update:user') && $user->id === $model->id;
}

This would mean they must have both permission to update, and the model being checked must be their own.

Please or to participate in this conversation.