Protect routes dynamically, based on id (laravel, pivot table)

Question

This topic has been discussed a lot here, but I don't get it.

I would like to protect my routes with pivot tables (user_customer_relation, user_object_relation (...)) but I don't understand, how to apply the filter correctly.

Route::get('customer/{id}', 'CustomerController@getCustomer')->before('customer')

now I can add some values to the before filter

->before('customer:2') 

How can I do this dynamically?

In the filter, I can do something like:

if(!User::hasAccessToCustomer($id)) {
    App::abort(403); 
}

In the hasAccessToCustomer function:

public function hasCustomer($id) {
    if(in_array($id, $this->customers->lists('id'))) {
        return true;
    }

    return false;
}

How do I pass the customer id to the filter correctly?

Answer 1

You can't pass a route parameter to a filter. However you can access route parameters from pretty much everywhere in the app using Route::input() :

$id = Route::input('id');

Optimizations

public function hasCustomer($id) {
    if($this->customers()->find($id)){
        return true;
    }

    return false;
}

Or actually even

public function hasCustomer($id) {
    return !! $this->customers()->find($id)
}

(The double !! will cast the null / Customer result as a boolean)

Generic approach

Here's a possible, more generic approach to the problem: (It's not tested though)

Route::filter('id_in_related', function($route, $request, $relationName){
    $user = Auth::user();
    if(!$user->{$relationName}()->find($route->parameter('id')){
        App::abort(403);
    }
});

And here's how you would use it:

->before('id_in_related:customers')
->before('id_in_related:objects')
// and so on