Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

JDLK7's avatar
JDLK7
OP
8 years ago
Level 1

Route Model binding not working with POST

I have two HTTP methods for the same route as shown below:

    Route::group(['middleware' => ['user.ownership']], function () {
       Route::get('users/{user}/folders/{folder}', 'FileController@listUserFolder');
       Route::post('users/{user}/folders/{folder}', 'FileController@createFolder');
    });

The problem is that when the request hits the middleware user.ownership the route model binding works for the GET request but does not work for the POST. It makes no sense to me.

The middleware checks if the user owns the resource (in this case a folder). The problem shows up when I try to get the Folder model. In one case it returns the model but in the other it just returns the id. Here's the middleware code:

    <?php

    namespace App\Http\Middleware;

    use Closure;

    class CheckIfUserOwnsResource
    {
        /**
         * Comprueba si el recurso solicitado pertenece
         * al usuario que lo solicita.
         *
         * @param  \Illuminate\Http\Request  $request
         * @param  \Closure  $next
         * @return mixed
         */
        public function handle($request, Closure $next)
        {
            $user = $request->user();
            $file = $request->folder;

            $fileOwner = $file->account;
            $fileApplicant = $user->account;

            if($fileOwner != $fileApplicant) {
                return response()->json([
                    'success' => false,
                    'message' => 'El recurso no le pertenece',
                ], 403);
            }

            return $next($request);
        }
    }
0 likes
4 replies
martinbean's avatar

@JDLK7 I don’t understand your routes.

What does…

Route::post('users/{user}/folders/{folder}', 'FileController@createFolder');

…do? Why do you have a {folder} parameter if the controller action is createFolder()? A folder can’t exist before it’s created, so what are you passing in the URL?

For this reason, it’s better to stick to the resourceful method names. If you’re creating a folder, this should be done in a create() method in a FolderController class. If the Folder model belongs to a User, then you could have a UserFolderController instead:

Route::resource('users/{user}/folders', 'UserFolderController');
1 like
JDLK7's avatar
JDLK7
OP
8 years ago
Level 1

@martinbean Sorry, originally the route was ...

Route::post('users/{user}/folders/{folder}/folders', 'FileController@createFolder');

I changed it to check if the problem had something to do with the word folders repeated.

It is suposed to create a subfolder nested into the folder passed by URL.

And thank you for your suggestion of creating a resource controller. I'm going to give it a try.

martinbean's avatar
martinbean
8 years ago
Best Answer
Level 80

@JDLK7 I think your variable naming in your middleware is confusing. You save $request->folder to $file…?

Nonetheless, the problem is, in your middleware you try and get the folder with $request->folder. If your form also has a field named folder, then that’s the value you will get, not the value from the {folder} route parameter.

Instead, you’ll need to use $request->route('folder') if you want the route parameter.

As an aside, it’s a good idea to use $request->input('key') to access POST data, and $request->route('key') to access route parameters, as it’s more explicit and prevents bugs like this.

I’d also recommend looking into authorisation with policies. You should have a FolderPolicy class that determines if the given user can create a folder rather than trying to work it out in middleware.

1 like
JDLK7's avatar
JDLK7
OP
8 years ago
Level 1

@martinbean You are right about the variable naming, I'm working on improving it. Regarding the binding, I've tried with $request->route('folder') and It worked fine. Thank you!

I've never tried to use policies. I think it could work in this case, however, if I've understood correctly a policy organizes the user authorization logic around a model (in this case Folder) so It won't work with groups. For example, say that a User is part of a Group. If this user wants to create a new folder that anyone in this group can access. The route will be like this:

Route::post('groups/{group}/folders/{folder}/folders', 'FileController@createFolder');

I should check first if the user belongs to the group and then if the parent folder (passed by URL) also belongs to the group. In the second case I couldn't use policies, right?

1 like

Please or to participate in this conversation.