how can I hide the data that my controller returns making a CRUD in Laravel & vue.js?

Question

I´m making a CRUD in laravel with vue.js & axios. I did create the complete CRUD, but using routes that return the data from my controller, but if I put the route that returns the data, obviously all people can access to the data that returns the controller.

I´m using laravel 5.5, vue.js & axios. if I put the route in the browser, for example: localhost/tasks all the data that I passed in my controller it shows.

Routes:

Route::get('/', function () {
    return view('dashboard');
});

Route::resource('tasks', 'TaskController',['except' => 'show', 'create', 'edit']);

Controller:

public function index()
{
    $tasks = Task::orderBy('id', 'DESC')->get();
    return $tasks;
}

app.js

data: {
        keeps: [],
        newKeep: '',
        fillKeep: {'id': '', 'keep': ''},
        errors: []
    },
    methods: {
        getKeeps: function()
        {
            //este es el nombre de las rutas (index)
            var urlKeeps = 'tasks';
            axios.get(urlKeeps).then(response =>{
                this.keeps = response.data
            });
        },

        // Metodo de editar
        editKeep: function(keep){
            this.fillKeep.id = keep.id;
            this.fillKeep.keep = keep.keep;
            $('#edit').modal('show');
        },

The principal dashboard is in the '/' route, the controller returns the data from my controller, the route is "/tasks" and the other methods, but when any other user put in the browser "www.myweb.com/tasks" it returns all the data from my controller, ¿How can I avoid that problem?

Answer 1

If the Tasks model has multiple users' data you should be restricting the tasks route to return only the current logged in user's data. This is the same whether its accessed via Ajax or directly in the browser window.

Restrict that route with the auth middleware and scope the tasks Eloquent query to return that user's data.

eg

$tasks = Task::where('user_id', \Auth::user()->id)->orderBy('id', 'DESC')->get();

Then it doesn't matter if the user visits the URL directly and sees their own data.

Answer 2

Well if you want to restrict all from entering this path you could simply put a middleware that if the requested url is this then return to home.

Here you can find all middleware documentation:

https://laravel.com/docs/5.8/middleware

About the condition you could simply put in your user table a column that its name for example tasks_access and you put it nullable() so that the middleware will do an if statement then if this column is null then return redirect home and basically it will be always null.

In migration the user migration

    $table->boolean('tasks_access')->nullable();

then you can either make a middleware or you can do simply in your controller

if (!@Auth::user()->tasks_access){
return redirect('/user');

so that your controller will be like this

public function index()
{
    if (!@Auth::user()->tasks_access){
    return redirect('/user');
}
    $tasks = Task::orderBy('id', 'DESC')->get();
    return $tasks;
}

so that based on your user table the tasks_access column the user tasks access is null by default so that it will always return redirect the user to the /user route or you could change it to be /home or whatever you want

Note : I answered based on your question but I don't know why you want to block all users from seeing data and the data in the first place should be shared with users because data without users is useless