1👍
✅
You could add an additional check. It could be as rudimentary as this:
public function show($id)
{
$document = Document::findOrFail($id);
if ($document->user_id !== auth()->id())
{
return response()->json([
'message' => 'You are not allowed to see this document',
], 403);
}
return response()->json([
'document' => $document,
], 200);
}
Alternatively, you could also do this when finding the document (because it seems you are not using Model Binding), so this should also work:
public function show($id)
{
$document = Document::where('user_id', auth()->id)->find($id);
if ($document)
{
return response()->json([
'message' => "The document does not exist or you are not allowed to see it.",
], 404);
}
return response()->json([
'document' => $document,
], 200);
}
Then again, you could implement this in not only in the controller but in a middleware, a Form Request, and so on.
Source:stackexchange.com