In this episode, we shift gears for a bit from working on our upload feature and focus on something super important: authorizing requests to ensure users can only update or delete their own videos. Right now, our routes let anyone with an ID try to edit or remove any video, so we need to lock things down.
First, we create specialized request classes (like VideoUpdateRequest
) so we can keep validation and authorization clean and tidy, pulling rules out of the controller. Then, we jump into making a Laravel policy (VideoPolicy
) to actually check ownership—if the user_id
on the video matches the logged-in user's ID, you're good to go. We add update and delete (which we call "destroy" to match the Laravel convention) checks in the policy and wire them up to our new request classes.
Once we've handled updating and deleting, we repeat the process for uploading files, making a custom policy method (storeFile
) to ensure users can only upload files for videos they own. After putting everything together, we test the routes and see they now correctly block unauthorized attempts with a 403 error.
By the end of the episode, all our sensitive routes are safely protected: only the owner can update, delete, or upload files for a video, keeping user data safe and the app secure.