Level 3
You can check like this
$user = User::find($id);
if($user->manager_id == Auth::user()->id)
{
//allow updating
}
Feb 6, 2016
1
Level 1
Authentication in Laravel 5
Hi, I have 3 different level authorities admin, managers and students.
the idea is manager can add students to his own course and can edit them only if he added.
however since it is same authority level other managers can edit these students too.
lets say student 1 added by manager 1 and student 2 added by manager 2
if manager 2 changes url to
www.x.com/manager/student/update/1
he can change student 1 but it is added by manager 1 not manager 2.
Route::group(['middleware' => ['auth', 'auth.manager'], 'prefix' => 'manager', 'namespace' => 'Manager'], function () {
Route::group(['prefix' => 'student'], function () {
Route::get('update/{id}', 'StudentController@update');
Route::post('update/{id}/info',StudentController@updateInfoProcess');
});
I can hash id's to prevent any managers to update other students however there is still possibility (even very small chance but still exploit is exploit) to find user with hashed url I am not exactly sure what else I can do.
Please or to participate in this conversation.