Eloquent Relationships By Example
This episode is for members only

Sign up to access "Eloquent Relationships By Example" right now.

Get started
Already a member? Sign in to continue
Playing
11. Deleting records

Episodes

0%
Your progress
  • Total: 4h 18m
  • Played: 0m
  • Remaining: 4h 18m
Join or sign in to track your progress
01. Introduction
01. Installation, database and migration refresher
7m 28s
0%
02. One to one
02. Creating and accessing the relationship
12m 1s
0%
03. Creating an address
5m 47s
0%
04. Updating an address
1m 49s
0%
05. Deleting an address
1m 6s
0%
06. Scoping to get the most recent address
5m 42s
0%
07. Building a working example
24m 34s
0%
03. One to many
08. Defining one to many relationships
5m 25s
0%
09. Two ways to insert
5m 10s
0%
10. Accessing the relationship data
11m 53s
0%
11. Deleting records
8m 19s
0%
12. Updating records
2m 9s
0%
13. Adding modifiers directly to the relationship
4m 50s
0%
14. Creating a postable timeline app
19m 38s
0%
04. Belongs to
15. Defining a belongs to relationship
10m 34s
0%
16. Associating relations
6m 4s
0%
17. Switching up keys
4m 16s
0%
05. Eager loading
18. Debugging the issue
3m 59s
0%
19. Eager loading
4m 10s
0%
06. Many to many
20. Defining many to many relationships
13m 46s
0%
21. Attaching relations
8m 58s
0%
22. Detaching relations
1m 52s
0%
23. Attaching and detaching multiple relations
3m 58s
0%
24. Eager loading
2m 15s
0%
25. Defining the inverse of the relationship
7m 40s
0%
26. Intermediate table columns
7m 54s
0%
27. Filtering by intermediate columns
8m 16s
0%
28. Syncing relations
7m 19s
0%
07. Has many through
29. Defining and using has many through relationships
15m 43s
0%
08. Has one through
30. Using has one through relationships
15m 54s
0%
09. Has one of many
31. Setting up a practical example
5m 13s
0%
32. Defining and using a has one of many relationship
10m 6s
0%
33. Using aggregate functions
5m 5s
0%

Transcript

00:00
We're now going to look at deleting a post. And again, there are a couple of ways that you can do this.
00:06
The first way that we're going to look at is the most simple. That is receiving a post in the post. We actually want to delete and then just deleting it. The second way is accessing the post through the relationship before we delete it.
00:20
There's a good reason why you might want to do that. And I'll explain why. So I'm going to go ahead and create out a just to get root in here. Normally, this would be a delete route, of course.
00:30
But let's go and create out a post slash. And then let's use root model binding to accept the post in that we want to delete. Now, we'll do this all within our web routes just so we can make this really quick. But let's accept that post in and then let's just die dump on that post.
00:49
So now all we're going to do is just pick a post from here. Let's choose one and let's go over to slash posts and slash this. In actual fact, let's change this to delete and post. So it's a little bit clearer.
01:03
And that's the post that we want to delete. Now, a really easy way to delete this post would now just be to say post delete, because we're working with the model itself. This will send a query through to delete this.
01:17
And if we head over and refresh the page here, sure enough, that gets removed from the database. Now, the problem that we have with this approach, particularly when we're learning Laravel, is that we're not authorizing this request.
01:32
If you did have an endpoint like this in your application, where the user could click through or submit a form to delete a post, you need to know that they own that post before they delete it. Otherwise, anyone could just pass any post ID in and this would just be deleted.
01:48
Now, of course, what you can do to protect this is add an if statement in here. But I wouldn't recommend that. I'd recommend waiting until you've learned about authorization before we get onto that. But there is another way that we can kind of bypass the need for authorization
02:02
and make sure that the post that we're deleting comes from that user. So I'm going to show you how to do that now. And then we're going to go ahead and look at adding in an extra record, adding in an extra user to see how this works.
02:15
So instead of saying post delete, we're instead going to access the currently authenticated user or the user that, in this case, we're just plucking out of the database. Then we're going to go into the post relationship and we're going to say where, and let's just keep this super simple for now, ID equals the post ID.
02:38
Now, let's just grab the first result that we get back from this, because when we say where ID, we should only really get one item back because IDs are unique in the database. So let's go ahead and assign this post here. In fact, we can't really do that.
02:52
So let's just call this user post. We'll die dump on this user post and see what we get. So if we head over to the database, we've got one post left with an ID of five. So let's say delete five.
03:05
That gives us back that post. That's only because that exists within the user's posts. So what we're doing here is we're saying grab the post with a post ID of five, but only within the user's post collection.
03:20
So effectively, now we wouldn't need to authorize this or check that the user owned the post because we're scoping this to the user's post. So this is a really important technique. Even if you are authorizing, it's a good idea to get into the habit of
03:35
accessing these through the relationship. This does slightly slow things down because we're having to look the post up, then technically look the post up again, and then technically go ahead and perform another query to delete it.
03:47
But I find the speed difference here isn't massive, and it just adds that extra layer of protection. OK. So let's take a look at an example of this where we have another user in the database.
04:00
So to demonstrate this, I'm just going to, in fact, let's go ahead and do this with Tinker. So we've got some slightly different data. So let's say PHP artisan Tinker, and we can re-bring up that factory command to create another user.
04:14
And we're going to go ahead and manually do this in the database. So I'm going to create another post. So another post. And I'm going to assign this to the user, this one here.
04:26
So user two. So now what would happen is if I pass through the ID of six into here, we get a null value because that post doesn't belong to us. And remember, we're trying to access a post within the user ID's one collection of posts.
04:44
So hopefully that makes sense. Now, with this user post directly now, because this is a model, we can just call the delete method on that. Before I do this, I'm going to show you a slightly different way
04:55
that we can go ahead without a where here. So we can actually still use find. So find usually takes just an ID in, but we can actually pass the post in here. And I find this a little bit easier to read.
05:06
So within the user's posts, find the post that we want to delete and grab the first one. And then we can go ahead and delete it. We can actually do this all in one line, which we're going to look at as well. So if you have a look here, you can see we get exactly the same thing.
05:20
If we head over to post five, you can see we get exactly the same thing as well. So just using find rather than building up a where clause manually, I find just looks a little bit better. So now that we've done this, let's go ahead and actually delete this post.
05:33
So we've got a user post, which we know is a post model, and we can just go ahead and delete this now. So that's just going to work as we would expect. We head over to the database.
05:42
Sure enough, that has now disappeared. Now I'm going to go ahead and bring back a test post here for my user, because there's a slightly different way we can do that as well without having to grab the first item and then delete it.
05:56
What we can actually do here is just delete it straight up. So we can do this all in one line. And that means we don't even have to assign this a variable. We just go into the user's posts, find the post that we want to delete,
06:10
and then we delete it. So much clearer. We've saved a couple of lines and it's a lot clearer. So if we head back over now and actually find the post that we want to delete,
06:20
this is now seven and we go over to seven. Okay. Yeah. So we do actually get an error here, and that is just because find is going to return us a collection.
06:29
But what we want to do here is say first, because when we find it by that particular thing, it's going to return us a collection, but then we grab the first post. So find this post and then delete it.
06:40
So let's give that a refresh. And there we go. It should disappear. And once again, we're still protected here.
06:45
So if we go and try and delete post six, like we saw before we head over here, that is just not going to work. Now we do get an error here because technically what we're trying to do is find a post that doesn't belong to us.
06:59
So it's just returning null. And then we can't call delete on null that's returned by first because we don't have any posts there. So, of course, you're going to want to, at some point,
07:10
add in authorization here to make sure that the user does own this post. But if you were to create this line out and just wanted it to silently fail and not do anything, and you did have authorization here, you can use a null safe operator to access the delete method
07:25
on a potential null value. So if we give this a refresh, it does nothing. So there's no error here, but that has not been deleted because it couldn't find that post it wanted to delete.
07:35
So although this was pretty long for an episode on deleting posts, I find things like this really interesting because there are lots of different ways to do things. Most of the time you would want to come in here,
07:47
authorize the fact that a, if we spell that correctly, authorize the fact that a post belongs to a user and then just delete that post. So you would just use post delete.
07:59
And that is absolutely good enough. But there are other ways to do this. And it's really important to think about security when we are working with deleting records in particular,
08:09
updating things, and of course, everything else. So there we go. That is how we delete posts in a couple of different ways with a few refactors along the way.

Episode summary

In this episode, we're diving into deleting records—specifically, how to delete a post in Laravel. We kick things off by exploring the simplest method: accepting a post via route model binding and just calling delete() on it. While this gets the job done, it has a big security hole—it doesn't check if the current user actually owns the post. Anyone could delete any post if they know the ID!

To work around this, we look at accessing the post via the user's relationship: grabbing only the authenticated user's posts and deleting the specific one. This not only cleans up our code but also makes sure users can only delete their own posts. We check out a few variations—getting the post with where() or find(), deleting in multiple steps, or condensing it all into a single, tidy line.

We also see what happens if a user tries to delete a post they don't own, and how to make our code handle that gracefully (without big errors crashing the page). Throughout, there's an emphasis on why you need to always think about authorization when deleting (or updating!) anything from your database.

All together, by the end of this video, you'll know a handful of ways to safely delete posts, and why you should always be thinking security-first!

Episode discussion

No comments, yet. Be the first!