0

I'll try to explain my doubt. Maybe the question does not have any sense:

Im creating a Saas project using Vue + Laravel. Logically, it has to support multiple users. For each of them only the user related data should be showed and not the others that must be completely private. Laravel is used only to be accessed via api (im not using blade templates).

So, lets suppose the typical example of the posts. Certain user, after authenticating is presented all his/her posts:

URL: http://myproject.com/posts
(posts data is obtained accesing http://myproject.com/api/posts)

And then clicks in one of them and the posts is presented with full details:

URL: http://myproject.com/posts/4
(posts data is obtained accesing http://myproject.com/api/posts/4)

Supposing posts with id=5 is someone else's, this user could try to access it this way:

URL: http://myproject.com/posts/5

But in my laravel controller I can check the user is accesing only his/her posts by checking f.e:

if (auth()->user()->id == $post->user_id) {
    <return the post data>
}

This way access to someone elses posts is not possible.

But the user is aware which ids have the posts he/she owns, and, consequently, the ids of other users posts. Do you think this is the correct way to implement this?

JaviS
  • 77
  • 1
  • 7
  • 1
    I'm not sure if I understand the question correctly: you don't want user A to know about user B posts? If that is so, don't use post ID's that auto increment, use something like a [UUID](https://github.com/binarycabin/laravel-uuid) – KiprasT Dec 18 '19 at 08:21
  • Yeah, in concrete the questions would be: - Is what i have done an incorrect practice? - How is usually implemented? The UUID sound good. – JaviS Dec 18 '19 at 08:23
  • 1
    If you only want to hide the content of the post - then what you have done should suffice, but if you also would like to hide the ID's - I would use UUID. You could also use multiple columns as a primary key, consider this: user A has 2 posts and user B has 3. Then when user A goes to `posts/1` he sees his first post, same thing for user B - he goes to `posts/1` he sees his first post. But when user A goes to `/posts/3` - he does not have a third post, so he sees nothing. This could be your posts table: `id, user_id, post_id, ...`, with `PK(id,user_id,post_id)` – KiprasT Dec 18 '19 at 08:33
  • A mutiple column PK would be the perfect solution. Why not PK(user_id,post_id)? Anyway, as i researched, laravel does not allow multiple column PK. – JaviS Dec 18 '19 at 08:43
  • 1
    [I think it does, but you need to do some hacking](https://stackoverflow.com/a/37076437/6463262) – KiprasT Dec 18 '19 at 08:46
  • Are you sure you want to implement this on the "show/view" part of the posts? I'd understand if you wanted to implement this for "edit/delete/update" routes/actions. Noone except the post owner could _view_ post details. And yes, go for UUID or https://hashids.org/ if you don't want IDs in your urls – brombeer Dec 18 '19 at 08:47
  • In all cases (show, edit, update...) can be implemented the check to disallow in case the user is not the owner. The only problem (if its a problem) is "showing" the id in the url and thats only in case of GET command. – JaviS Dec 18 '19 at 09:17

0 Answers0