Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

Mar 11, 2018

6

OP

Level 1

What is the best way to protect destroy method in Controller?

I'm working on API project. I have Proceeding model that has published_at attribute and it has hasMany relationship with Article model. A proceeding record may be trashed when it hasn't published yet. What is the best way to check if the proceeding is not published yet? Is it Validation, Middleware, or Authorization? If someone try to delete or update an article on a published proceeding, an exception should be thrown.

Best Answer

Level 80

@w1lldone Create a policy for your model that prevents deletion if the model is published: https://laravel.com/docs/master/authorization#creating-policies

1 like

OP

Level 1

@martinbean Thanks for your answer. The API should response with 403 Forbidden if the authorization fails, right?

Level 80

@w1lldone If the user is logged in but can’t perform the requested action, yeah.

Level 3

Please do not spam here and don't it elsewhere too.

Please or to participate in this conversation.