The really nice thing about token abilities is that we can use them practically anywhere that we need to check permissions, and it allows us to do some pretty granular checks. For example, the update method is where a User would update a Ticket, and a typical User should be able to update only their own Tickets. But we can also limit what they can update, like the title, the description, the status. That should be it. They shouldn't be able to change the author_id that was assigned to their Ticket. So one of the ways that we could do that is, well, right here for this mappedAttributes. Now if you'll remember, the mappedAttributes takes the data from the request and maps that to the actual attributes on our Ticket model.Now if you'll remember, the mapped attributes takes the data from the request and maps that to the actual attributes on our Ticket model. So if a User submitted the title and then the authorId, this map would create an array that has the title and its value, the userId and its value, and then those things would be updated. So for a User that shouldn't be able to do that, you know, they would have that updateOwnTicket ability, we could just drop that out of the map, and we could do something like this. If the User does not have a token that can updateOwnTicket, then we will add that mapping back in.If the user does not have a token that can update own ticket, then we will add that mapping back in. So we will have our attribute map for the author_id, and we will map that to the user_id. And, you know, that would work for the update requests, but it would also cause some issues with our other requests. Because this mapAttributes method is used inside of not just update, but the store method, the replace method. I mean, any place that we need to work with that request data, we are using this mapped attributes.
Robb Lewis
