This episode is for members only

Sign up to access "Multiple Drag And Drop File Uploading and Processing with Inertia" right now.

Get started
Already a member? Sign in to continue
Playing
11. Authorizing requests

Transcript

00:00
Okay, so we're going to take a quick break from our upload functionality, but talk about something that's equally important, and that is authorizing these requests. At the moment, we have got a couple of routes here which will change around the file,
00:13
including this one as well, where anyone could just pass any ID in, and we're not authorizing these requests. You might have already done this within Laravel, so it might be pretty straightforward, but I'm going to cover this now anyway because it's so important.
00:25
So let's start with our video update controller. At the moment, we are validating here, but we are not authorizing this request. Anyone can pass a video ID in with any title and description. So to do this, what I typically do is go ahead and create out a request,
00:40
which we can just easily put into and replace our request object, which makes things a little bit neater. So we're going to go ahead and make out a request here, and we're going to call this, let's just get rid of this, video update request.
00:54
So we'll start with update, and we'll work our way through. So with this, we can just replace this request out, so video update request, and we can actually move these validation rules over now just to keep our controllers nice and tidy. So if we open up this video update request, which is in the request directory under HTTP,
01:12
we can come down here and just put these rules directly in here, and that will be validated as normal, so that will just work. It's here that we want to authorize this. So to do this, we want a policy.
01:22
So let's go and make out a policy, and of course, we're going to call this video policy, because it relates to a video, and if we open up that video policy, if you've never worked with policies before in Laravel, we can get rid of this constructor, and we can just create a couple of methods in here,
01:38
which say, well, can we update a video, can we delete a video, and then just return a Boolean to see if we can or not. So in our case, we want to create out an update method in here. The user automatically gets passed in here, but then we can pass in what we're checking.
01:54
So in this case, it's the video. So how do we know a user belongs to a video or a video belongs to a user? Well, we just check the video user ID and check it against the user ID or the other way around. That's basically how we know that we own that video.
02:10
So now over here, we can say auth user can update, and then because we're working within a form request here, and if we just save this, and we're passing a video into our controller or our root, we can just access this directly with this video,
02:30
and that will be the video that gets sent down to our video policy here and then checked. And if this returns false, we'll get a 403, and this will be unauthorized. So let's go over and just try and update one of our videos just to make sure all this is working. So let's hit save, and you can see it works.
02:47
But if, for example, I just explicitly returned false from here and we tried that again, you can see that we get a 403. So that's working nicely. Okay, let's go and just copy this method down.
02:59
We'll do the same thing for deleting. The check is the same. We just want to basically know whether we own this, and we'll just go through the whole process for the deletion of a video.
03:08
So video destroy controller. Let's go and create out a request for this. So php artisan make request video destroy request, and we can just swap this out in here.
03:23
So video destroy request, pull that in. We don't have any validation for here, but that's absolutely fine. In authorized, we can say auth user can destroy this video. So reads really nicely.
03:40
Let's just check our video policy just to make sure we call that destroy. We called it delete, but let's change this over to destroy. Okay, let's go ahead and try this out. We should now be able to delete a video or cancel and upload.
03:53
So let's go and cancel this, and there we go. Sure enough, the request worked really nicely. Okay, so we need to also protect this route as well, because again, we could choose any ID.
04:05
We're not authorizing this, so we'll just go through the same process again. Feel free to cut the video at this point if you know what you're doing. Okay, let's go ahead and create our request for this. So php artisan make request, and let's say video file store request,
04:23
and we'll change this over, video file store request. Open this up, and then of course, we can just add the authorization in here. So we can do the same thing, because even though it's a file for the video, it's the video that counts.
04:37
So over in our video policy, we could create a sort of custom one that doesn't conform to the restful verbs that we usually use. So let's say store file, and I think that's okay. So in here, we're just going to say auth user can store file for this video,
05:01
and that should be good. So now, when we upload a file, each of them things where we can potentially be passing them IDs in are being authorized, and we are protecting this against someone else trying to modify things that we own.

Episode summary

In this episode, we shift gears for a bit from working on our upload feature and focus on something super important: authorizing requests to ensure users can only update or delete their own videos. Right now, our routes let anyone with an ID try to edit or remove any video, so we need to lock things down.

First, we create specialized request classes (like VideoUpdateRequest) so we can keep validation and authorization clean and tidy, pulling rules out of the controller. Then, we jump into making a Laravel policy (VideoPolicy) to actually check ownership—if the user_id on the video matches the logged-in user's ID, you're good to go. We add update and delete (which we call "destroy" to match the Laravel convention) checks in the policy and wire them up to our new request classes.

Once we've handled updating and deleting, we repeat the process for uploading files, making a custom policy method (storeFile) to ensure users can only upload files for videos they own. After putting everything together, we test the routes and see they now correctly block unauthorized attempts with a 403 error.

By the end of the episode, all our sensitive routes are safely protected: only the owner can update, delete, or upload files for a video, keeping user data safe and the app secure.

Episode discussion

No comments, yet. Be the first!