Laravel 4 Users editing others information

Question

I am having issues with Laravel 4. When a user logs in, they are able to create or edit a saved form called a "Project". I need to be able to make it where a user can only edit the forms "projects" that they created. Currently, anyone can edit anyone elses project by changing the project id in the url.

Example: projects/3/edit edits the project with an id of 3

I tried using the following code but it returns an error "Trying to get property of non-object" but project is an object. Any advice is much appreciated.

filter.php

Route::filter('auth', function()
{
    if (Auth::guest()) return Redirect::guest('login');
});

Route::filter('auth.project', function($route, $request)
{
    if($route->parameter('project')->user_id !== Auth::user()->id)
    {
        return Redirect::route('/')->with('error','sorry, you can only access projects that you created');
    }

    return Redirect::route('/');
});


Route::filter('auth.basic', function()
{
    return Auth::basic();
});

routes.php

    Route::get('/projects/{projects}/edit','ProjectsController@edit',  ['before' => 'auth.project']);

Answer 1

You have this filter :

Route::filter('auth.project', function($route, $request)
{
    if($route->parameter('project')->user_id !== Auth::user()->id)
    {
        return Redirect::route('/')->with('error','sorry, you can only access projects that you created');
    }

    return Redirect::route('/');
});

Here if($route->parameter('project')->user_id !== Auth::user()->id) is not right because the first thing is that, your route is declared as given below:

// This is not right
Route::get('/projects/{projects}/edit','ProjectsController@edit',  ['before' => 'auth.project']);

Try this:

Route::get('/projects/{projects}/edit', ['before' => 'auth.project', 'uses' => 'AuthorsController@edit']);

Also, the parameter is projects not project but you are using project in your filter and then, the second problem is that, you are trying to get property of non-object because $route->parameter('project') returns null and even if you use projects then it may return the 3 but still that will throw an error because 3 is not an object. You need to grab that Project whose id is 3 or you may use a route model binding. So, if you use something like this:

$project = Project::find($route->parameter('projects')); // Assumed that 3 is id
if($project->user_id !== Auth::user()->id) {
    //...
}

Also you may use a route model binding like this:

Route::model('projects', 'Project'); // Project Model must be existed
Route::get('/projects/{projects}/edit', ['before' => 'auth.project', 'uses' => 'AuthorsController@edit']);

Then in your edit method:

public function edit(Project $project)
{
    // $project is an Eloquent Object, will be injected automatically...
});

Answer 2

Well, just looking at what you've posted here, I see a couple issues.

First, you named your parameter projects in your route and try to access project in your filter, which is non-existent.

Second, $route is of type Illuminate\\Routing\\Route which has a method called getParameter , not parameter . More can be found in the documentation linked here .

Hope this helps.