Answer the question
In order to leave comments, you need to log in
Where should I check permissions?
Hello.
Where should I check permissions?
For example, there is a class Book, there is a remove method, is it normal to check the rights to delete in the class method or is it not right?
Should this be done in the controller?
For example, I need to get the title of the book, but only the person who created the book has access to this information (Information about the creators is in the user_id field)
If you check access rights in the controller, then you must first make 1 query in the database to get the user_id field, after that, if the request was sent by the owner of the book, then we turn to the class method
and there is another request to the database to pull out the necessary fields (In the example, this is the title of the book).
In such cases, instead of 1 query to the database, we get 2.
When you can get by with one and pull out all the necessary data at once: user_id and title
Now it's done like this:
We turn to the /book/ajax/ route, check the submitted data for validity and then turn to the class, where it is checked for the right to delete the book and the deletion of the book itself
How would it be correct to implement this?
Answer the question
In order to leave comments, you need to log in
a middleware that will check permissions on every request would be the right solution.
But you can also do a feint with your ears (although the solution is not beautiful and not scalable):
Naturally, only the owner can delete.
Well, then analyze the result of the request: if nothing is deleted, give an error.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question