Validating Current Team if user were to change teams in a different tab

Authorization policy's might be a way ( https://laravel.com/docs/5.6/authorization#creating-policies )

Register one then call it in the store and create methods.

Then simply in the policy check if the user is part of the team, if he isn't it returns a 403

I would advice wathcing a few videos on the subject

Thanks @Cruorzy, I'm using policies in there to check if the user is part of the team, however this would always return true unless it was a malicious user trying to access a page belonging to a team they weren't on even if the current_team_id has changed as it is a difference relationship.

However I need to check the current_team_id matches the id that the user was currently on when they first loaded the page. The only thing I can think of is a team token in a hidden input but this feels a bit much for every single form.

For instance if I had a route of /posts, there is no team identifier in the url to check the current_team_id against, so it would just create the post against the current_team_id even if it has changed when the user was on another page. As opposed to /{team}/posts where you can validate the team. However this kind of defeats the point of the having the current_team_id.

Hope that makes sense.

Back to the first post here, I think I was thinking wrongly about your issue. Is it correct that if the user switched teams and goes back to the page that was opened and saves the post. the post becomes part of the new team he just joined before making the post?

Hi @Cruorzy , no worries. Yes that's what happens. But the user would likely think they are still on the old teams page when creating a post for example as the logo (or whatever) would be the original teams. Obviously if the user refreshed the page it would show the updated current teams logo so would be more obvious but I doubt a user would remember to do that.

Well what you could do is when you set a new current_team_id also update a new field named last_team_change with a dateTime

Then in the store method

if (\Carbon\Carbon::now < $user->last_team_change) {
    //throw error
}

It's still not fully clean but this is how I would solve it since can't think of anything better.

@RALPHMORRIS The POST request in the first time to create a new post should occur after the user’s switched teams in the second time. Therefore, the POST request should create a post against the team the user has selected. If not, then you have some logical error somewhere.

why not check if the user belongs to the team they are trying to post under " in the the create post method". or am i not getting the question

@mac03733 Took me a bit to understand but if you read the question you can tell that wouldn't help since it will return true.

@martinbean He doesn't include the team in the url there is no way to know what page he is actually on, the asier way would be to indeed add a id or slug to the url to identify. But if he really doesn't want to I think my solution would do the job for him.

He can't simply add a new reply when the team has been switched and you are still on the old team page.

Thanks guys, for all your input.

@Cruorzy I believe you are correct although I think the Carbon::now() would need to be done on the original page load and put into the form so you could check whether the user had switched teams since loading the current page rather than in the store method.

Something like:

if (request()->page_original_loaded_timestamp < $user->last_team_change) {
    //throw error
}

@ralphmorris You've got a point there, it ain't my brightest today. Personally I would make a unique identifier has instead of a dateTime since they can just up the date and work around it. Which seems useless but still possible.

But then you would come close to your "token" idea.