Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
I have question I try to creat SaaS / Multi-tenant.
Business owner registers account creates branch and add managers then they cant see other branches. Only their branches.
My code at the moment shows branches correctly if Im logged in with owner. But if I login with manager I can see all branches.
And if im logged in as owner and view branch and change url then I can see other account branch.
<?php
namespace App\Http\Controllers\Salon;
use App\AdminSetting;
use App\AppUsers;
use App\BookingChild;
use App\BookingMaster;
use App\Branch;
use App\Category;
use App\EmployeeInfo;
use App\Http\Controllers\AppHelper;
use App\Http\Controllers\Controller;
use App\Review;
use App\SubCategory;
use App\User;
use App\Business;
use Carbon\Carbon;
use Gate;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Artisan;
use Illuminate\Support\Facades\Auth;
use Illuminate\Support\Facades\DB;
use LicenseBoxAPI;
use Symfony\Component\HttpFoundation\Response;
class BranchController extends Controller
{
/**
* Display a listing of the resource.
*
* @return \Illuminate\Http\Response
*/
public function index()
{
if (!Gate::denies('branch_access')) {
$business = Business::select('id')->where('owner_id', Auth::id())->first();
if ($business) {
$branch = Branch::where('business_id', $business->id)->get();
}else{
$branch = 0;
}
} elseif (!Gate::denies('branch_manager_access')) {
$business = Business::select('id')->where('owner_id', Auth::id())->first();
if ($business) {
$branch = array();
$master = Branch::where('business_id', $business->id)->get();
if ($master) {
foreach ($master as $value) {
if (is_array($value['manager']) && in_array(Auth::id(), $value['manager'])) {
array_push($branch, $value);
}
}
}else{
$branch = 0;
}
}else{
$branch = 0;
}
} else {
abort_if(true, Response::HTTP_FORBIDDEN, '403 Forbidden');
}
return view('salon.branch.index', compact('branch'));
}
/**
* Show the form for creating a new resource.
*
* @return \Illuminate\Http\Response
*/
public function create()
{
abort_if(Gate::denies('branch_create'), Response::HTTP_FORBIDDEN, '403 Forbidden');
$id = User::has('employee')->pluck('id');
$manager = User::whereNotIn('id', $id)->orderBy('name', 'asc')->get();
$categories = Category::orderBy('name', 'asc')->get();
$employee = User::whereIn('id', $id)->orderBy('name', 'asc')->get();
return view('salon.branch.create', compact('manager', 'categories', 'employee'));
}
/**
* Store a newly created resource in storage.
*
* @param \Illuminate\Http\Request $request
* @return \Illuminate\Http\Response
*/
public function store(Request $request)
{
$request->validate([
'name' => 'bail|required|max:255',
'address' => 'bail|required|max:255',
'icon' => 'bail|required|image',
'start_time' => 'bail|required',
'end_time' => 'bail|required',
]);
$reqData = $request->all();
if ($request->icon && $request->icon != "undefined") {
$reqData['icon'] = (new AppHelper)->saveImage($request);
}
$reqData['owner'] =
$reqData['is_featured'] = $request->has('is_featured') ? 1 : 0;
$reqData['status'] = $request->has('status') ? 1 : 0;
branch::create($reqData);
return redirect()->route('branch.index')->withStatus(__('branch is added successfully.'));
}
/**
* Display the specified resource.
*
* @param \App\Branch $branch
* @return \Illuminate\Http\Response
*/
public function show(Branch $branch)
{
$branch::where('owner_id' => )
$booking = BookingMaster::with('user:id,name')->where('branch_id', $branch->id)->orderBy('id', 'desc')->get();
$review = Review::with('user:id,name')->where('branch_id', $branch->id)->orderBy('id', 'desc')->get();
$service = Category::with('service')->whereIn('id', $branch->category)->get();
$employee = EmployeeInfo::with('user:id,name,email')->whereIn('emp_id', $branch->employee)->get();
return view('salon.branch.show', compact('branch', 'booking', 'review', 'service', 'employee'));
}
/**
* Show the form for editing the specified resource.
*
* @param \App\Branch $branch
* @return \Illuminate\Http\Response
*/
public function edit(Branch $branch)
{
abort_if(Gate::denies('branch_edit'), Response::HTTP_FORBIDDEN, '403 Forbidden');
$id = User::has('employee')->pluck('id');
$manager = User::whereNotIn('id', $id)->orderBy('name', 'asc')->get();
$categories = Category::orderBy('name', 'asc')->get();
$employee = User::whereIn('id', $id)->orderBy('name', 'asc')->get();
return view('salon.branch.edit', compact('branch', 'manager', 'categories', 'employee'));
}
/**
* Update the specified resource in storage.
*
* @param \Illuminate\Http\Request $request
* @param \App\Branch $branch
* @return \Illuminate\Http\Response
*/
public function update(Request $request, Branch $branch)
{
$request->validate([
'name' => 'bail|required|max:255',
'icon' => 'bail|sometimes|required|image',
'start_time' => 'bail|required',
'end_time' => 'bail|required',
]);
$reqData = $request->all();
if ($request->icon && $request->icon != "undefined") {
$reqData['icon'] = (new AppHelper)->saveImage($request);
}
$reqData['is_featured'] = $request->has('is_featured') ? 1 : 0;
$reqData['status'] = $request->has('status') ? 1 : 0;
$branch->update($reqData);
return redirect()->route('branch.index')->withStatus(__('branch is updated successfully.'));
}
/**
* Remove the specified resource from storage.
*
* @param \App\Branch $branch
* @return \Illuminate\Http\Response
*/
public function destroy(Branch $branch)
{
abort_if(Gate::denies('branch_delete'), Response::HTTP_FORBIDDEN, '403 Forbidden');
$branch->delete();
return back()->withStatus(__('branch is deleted successfully.'));
}
--
-- Tabeli struktuur tabelile `booking_child`
--
CREATE TABLE `booking_child` (
`id` int(11) NOT NULL,
`booking_id` int(11) NOT NULL,
`service_id` int(11) NOT NULL,
`emp_id` int(11) NOT NULL,
`duration` int(11) NOT NULL,
`start_time` datetime DEFAULT NULL,
`end_time` datetime DEFAULT NULL,
`created_at` datetime NOT NULL,
`updated_at` datetime NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
-- --------------------------------------------------------
--
-- Tabeli struktuur tabelile `booking_master`
--
CREATE TABLE `booking_master` (
`id` int(11) NOT NULL,
`booking_id` varchar(50) NOT NULL,
`user_id` int(11) NOT NULL,
`branch_id` int(11) NOT NULL,
`start_time` datetime NOT NULL,
`end_time` datetime NOT NULL,
`offer_id` int(11) DEFAULT NULL,
`total` float NOT NULL,
`discount` float NOT NULL DEFAULT '0',
`duration` int(11) NOT NULL DEFAULT '0',
`status` int(11) NOT NULL DEFAULT '0' COMMENT '0 = waiting 1 =confirm 2=complate 3=cancel',
`payment_status` int(11) NOT NULL DEFAULT '0' COMMENT '0= no 1 = yes',
`payment_token` varchar(255) DEFAULT NULL,
`payment_method` varchar(255) NOT NULL DEFAULT 'Offline',
`updated_at` datetime NOT NULL,
`created_at` datetime NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
-- --------------------------------------------------------
--
-- Tabeli struktuur tabelile `branch`
--
CREATE TABLE `branch` (
`id` int(11) NOT NULL,
`name` varchar(255) NOT NULL,
`address` varchar(255) NOT NULL,
`for_who` int(11) NOT NULL DEFAULT '0',
`description` text NOT NULL,
`icon` varchar(50) NOT NULL DEFAULT 'default.png',
`start_time` time NOT NULL DEFAULT '09:00:00',
`end_time` time NOT NULL DEFAULT '23:00:00',
`category` text,
`business_id` int(11) DEFAULT NULL,
`manager` text,
`employee` text,
`is_featured` int(11) NOT NULL DEFAULT '0',
`status` int(11) NOT NULL DEFAULT '1',
`created_at` datetime NOT NULL,
`updated_at` datetime NOT NULL,
`deleted_at` datetime DEFAULT NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
-- --------------------------------------------------------
--
-- Tabeli struktuur tabelile `business`
--
CREATE TABLE `business` (
`id` int(11) NOT NULL,
`business_name` varchar(255) NOT NULL,
`owner_id` int(11) DEFAULT NULL,
`status` int(11) NOT NULL,
`created_at` datetime NOT NULL,
`updated_at` datetime NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
-- --------------------------------------------------------
--
-- Tabeli struktuur tabelile `employee_detail`
--
CREATE TABLE `employee_detail` (
`id` int(11) NOT NULL,
`emp_id` int(11) NOT NULL,
`address` varchar(255) DEFAULT NULL,
`description` text,
`service` text,
`icon` varchar(255) NOT NULL DEFAULT 'default.png',
`status` int(11) NOT NULL DEFAULT '1',
`experience` text,
`created_at` datetime NOT NULL,
`updated_at` datetime NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
-- --------------------------------------------------------
--
-- Tabeli struktuur tabelile `permissions`
--
CREATE TABLE `permissions` (
`id` int(10) UNSIGNED NOT NULL,
`title` varchar(191) COLLATE utf8mb4_unicode_ci DEFAULT NULL,
`created_at` timestamp NULL DEFAULT NULL,
`updated_at` timestamp NULL DEFAULT NULL,
`deleted_at` timestamp NULL DEFAULT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
-- --------------------------------------------------------
--
-- Tabeli struktuur tabelile `permission_role`
--
CREATE TABLE `permission_role` (
`role_id` int(10) UNSIGNED NOT NULL,
`permission_id` int(10) UNSIGNED NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
-- --------------------------------------------------------
--
-- Tabeli struktuur tabelile `users`
--
CREATE TABLE `users` (
`id` int(11) NOT NULL,
`name` varchar(191) COLLATE utf8mb4_unicode_ci NOT NULL,
`email` varchar(191) COLLATE utf8mb4_unicode_ci NOT NULL,
`email_verified_at` timestamp NULL DEFAULT NULL,
`password` varchar(191) COLLATE utf8mb4_unicode_ci NOT NULL,
`is_admin` int(2) DEFAULT NULL,
`is_salon` int(2) DEFAULT NULL,
`business_id` int(11) DEFAULT NULL,
`remember_token` varchar(100) COLLATE utf8mb4_unicode_ci DEFAULT NULL,
`created_at` timestamp NULL DEFAULT NULL,
`updated_at` timestamp NULL DEFAULT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
--
-- Indeksid tõmmistatud tabelitele
--
--
-- Indeksid tabelile `booking_child`
--
ALTER TABLE `booking_child`
ADD PRIMARY KEY (`id`),
ADD KEY `booking_id` (`booking_id`,`service_id`,`emp_id`),
ADD KEY `service_id` (`service_id`);
--
-- Indeksid tabelile `booking_master`
--
ALTER TABLE `booking_master`
ADD PRIMARY KEY (`id`),
ADD KEY `user_id` (`user_id`,`branch_id`),
ADD KEY `branch_id` (`branch_id`),
ADD KEY `offer_id` (`offer_id`);
--
-- Indeksid tabelile `branch`
--
ALTER TABLE `branch`
ADD PRIMARY KEY (`id`);
--
-- Indeksid tabelile `business`
--
ALTER TABLE `business`
ADD PRIMARY KEY (`id`);
--
-- Indeksid tabelile `employee_detail`
--
ALTER TABLE `employee_detail`
ADD PRIMARY KEY (`id`),
ADD KEY `emp_id` (`emp_id`);
--
-- Indeksid tabelile `permissions`
--
ALTER TABLE `permissions`
ADD PRIMARY KEY (`id`);
--
-- Indeksid tabelile `permission_role`
--
ALTER TABLE `permission_role`
ADD KEY `role_id_fk_476162` (`role_id`),
ADD KEY `permission_id_fk_476162` (`permission_id`);
--
-- Indeksid tabelile `users`
--
ALTER TABLE `users`
ADD PRIMARY KEY (`id`),
ADD UNIQUE KEY `users_email_unique` (`email`);
--
-- AUTO_INCREMENT tõmmistatud tabelitele
--
--
-- AUTO_INCREMENT tabelile `booking_child`
--
ALTER TABLE `booking_child`
MODIFY `id` int(11) NOT NULL AUTO_INCREMENT;
--
-- AUTO_INCREMENT tabelile `booking_master`
--
ALTER TABLE `booking_master`
MODIFY `id` int(11) NOT NULL AUTO_INCREMENT;
--
-- AUTO_INCREMENT tabelile `branch`
--
ALTER TABLE `branch`
MODIFY `id` int(11) NOT NULL AUTO_INCREMENT;
--
-- AUTO_INCREMENT tabelile `business`
--
ALTER TABLE `business`
MODIFY `id` int(11) NOT NULL AUTO_INCREMENT;
--
-- AUTO_INCREMENT tabelile `employee_detail`
--
ALTER TABLE `employee_detail`
MODIFY `id` int(11) NOT NULL AUTO_INCREMENT;
--
-- AUTO_INCREMENT tabelile `permissions`
--
ALTER TABLE `permissions`
MODIFY `id` int(10) UNSIGNED NOT NULL AUTO_INCREMENT;
--
-- AUTO_INCREMENT tabelile `users`
--
ALTER TABLE `users`
MODIFY `id` int(11) NOT NULL AUTO_INCREMENT;
--
-- Tõmmistatud tabelite piirangud
--
--
-- Piirangud tabelile `booking_child`
--
ALTER TABLE `booking_child`
ADD CONSTRAINT `booking_child_ibfk_1` FOREIGN KEY (`booking_id`) REFERENCES `booking_master` (`id`),
ADD CONSTRAINT `booking_child_ibfk_2` FOREIGN KEY (`service_id`) REFERENCES `sub_categories` (`id`) ON DELETE CASCADE ON UPDATE CASCADE;
--
-- Piirangud tabelile `booking_master`
--
ALTER TABLE `booking_master`
ADD CONSTRAINT `booking_master_ibfk_1` FOREIGN KEY (`user_id`) REFERENCES `app_users` (`id`),
ADD CONSTRAINT `booking_master_ibfk_2` FOREIGN KEY (`branch_id`) REFERENCES `branch` (`id`) ON DELETE CASCADE ON UPDATE CASCADE,
ADD CONSTRAINT `booking_master_ibfk_3` FOREIGN KEY (`offer_id`) REFERENCES `offers` (`id`) ON DELETE CASCADE ON UPDATE CASCADE;
--
-- Piirangud tabelile `employee_detail`
--
ALTER TABLE `employee_detail`
ADD CONSTRAINT `employee_detail_ibfk_1` FOREIGN KEY (`emp_id`) REFERENCES `users` (`id`) ON DELETE CASCADE ON UPDATE CASCADE;
COMMIT;
sorry, it's quite a long post and i did not really look in detail, but at glance on theshow() method, it seem incomplete and does not seem to have authorization checking....
but anyway, perhasp try to take a look and consider policy, it may make your life easier... https://laravel.com/docs/7.x/authorization#creating-policies
Please or to participate in this conversation.