How to secure that a user can edit only their own ticket

Question

So if a user wants to edit their own ticket they can do it from a form. But if they change the ID in the form, they can also edit another user's ticket. How do I prevent this?

public function edit(Ticket $ticket)
{
    $user = request()->user()->ticket()->get();

    if ($ticket === $user){
        return view('users.tickets.edit',['ticket' => $ticket,]);
    }
    else{
        abort(403);
    }
}

It automatically pick abort 403

This is the user Model

public function ticket(){
    return $this->belongsToMany(Ticket::class, 'ticket_user');
}

This is the ticket model

public function users() {
    return $this->belongsToMany(User::class, 'ticket_user');
}

Please explain a little more... The ticket belongs to multiple users and you want to check if the user (that belongs to the users associated with the ticket) can edit the ticket? — jon
Yes correct but if the user does not belong to the ticket he can not enter that page. — B.Simsek

Dan Dan · Accepted Answer · 2020-12-18T19:50:43

The logic itself could look like this:

$ticket->users->contains($request->user())

In your controller it could look like this:

use Illuminate\Http\Request;

public function edit(Request $request, Ticket $ticket)
{
    if (! $ticket->users->contains($request->user())) {
        return abort(403);
    }
  
    return view('users.tickets.edit', [
        'ticket' => $ticket
    ]);
}

Docs for Collection::contains.

I suggest looking into how you could exclude your authorisation logic into gates and policies.

How to secure that a user can edit only their own ticket

2 Answers