Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
In my mind (php); nested resources helps insist on binding a value to prevent users from posting to anything by modifying the dom.
(please dont ask "wait why cant they post comments everywhere .. i know, terrible example)
Ie.
/post/$id/comment/create sets a $_SESSION[comment_postid] = $id;
Store then uses the /post/$id/comment/store that validates the $id == $_SESSION['comment_postid'];
If its just /comment ; is it as simple as having create form set same session (via blade); and store validating it?
is there a more laravel-esque way?
I've never found need to temporarily hold something like this in session, and it can be confusing if the user has a tendency to duplicate tabs (gets the same session).
If a request like posts/5/comments/createcomes in, then the main thing to check is that the user is allowed to create a comment on post 5, not that it was 5 that was sent to the form.
(or for /comments/create?post=5)
Please or to participate in this conversation.