most filamenty way of securing multi-user models?
hello, so when for example i have a PostResource that has user_id, meaning this post was made by that specific user, what's the best way to make sure the user can't access view/edit pages for the models that don't belong to that user?
i can prevent the table from showing other users' posts, but the user can still manually access the edit page by opening posts/edit/id and writing an id of a post that don't belong to them. how can i easily prevent this? is there a magic method within filament for this?
5 Replies
Use Laravel policies
Authorization - Laravel 12.x - The PHP Framework For Web Artisans
Laravel is a PHP web application framework with expressive, elegant syntax. We’ve already laid the foundation — freeing you to create without sweating the small things.
but the user can still access the edit form and see the contents of the post that they shouldn't see. gates only refuse the post request to update the post on the database
Nope, then you're doing something else wrong
Policies are indeed the correct way and should also handle view, edit, etc.
If that doesn’t work share some code.