How to protect against different URL requests in Laravel?

B

bob_meister2021-10-06 09:50:07

Laravel

bob_meister, 2021-10-06 09:50:07

Hello. I'm learning how to build a website in Laravel.
I'm interested in this question:
For example, I made the site the ability to create and delete groups.
There is a route:

Route::get('/group/delete/{id}', 'App\Http\Controllers\[email protected]')->name('group-delete');

those. the delete link looks like this: www.site.ru/group/delete/2 <- group ID.
And of course, any user stupidly entering any ID can delete any group. Of course, I added a check to the delete function to see if the authorized user is a group administrator.
But, I have a lot of such functions, where you need to check if the user is an admin, etc. I'm wondering if there is any other way to deal with this. For example, so that the group ID is not visible in the link, and the ID itself is sent in a different way, not through the URL, and so that requests like www.site.ru/group/delete/2 do not work. Thank you.

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

J

JhaoDa, 2021-10-06
@bob_meister

Firstly, for deleting by the GET method, a special is waiting for you. cauldron in hell.
Secondly, read the Laravel documentation about middleware and policies.
Third, learn the basics of HTTP so you know how to

For example, so that the group ID is not visible in the link, and the ID itself is sent in a different way, not through the URL, and so that requests like www.site.ru/group/delete/2 do not work.

A

Anton, 2021-10-06
@sHinE

We have already written about deleting and controlling rights, I will add about "hiding" id in urls - there is such a package https://github.com/cybercog/laravel-optimus for this purpose, but in general it is cosmetic

P

pLavrenov, 2021-10-06
@pLavrenov

When creating a model, you can add a UUID and use it. But set aside the usual IDs for relationships so as not to litter the database.