Support the ongoing development of Laravel.io →
Security Requests Forms

Hi everyone,

I set a nested resource like this in my routes.php file :

Route::resource('channels','ChannelsController');
Route::resource('channels.posts','PostsController');

and so when i want to show all posts on a given channel I would get the channel id form the URI : GET /channels/{channelId}/posts with the method :

        // PostsController.php
        /**
	 * Display a listing of the resource.
	 * GET channels/{channelId}/posts/
	 * @return Response
	 */
	public function index($channelId)
	{ 
          ...
        }

but when i want to POST, the channel id will not get passed to the store method

        // PostsController.php
       /**
	 * Store a newly created post whithin a channel
	 * POST channels/{channelId}/posts/
	 * @return Response
	 */
	public function store($channelId)
	{
          ... // $channelId is not set
        }

I know there's a solution, passing the data with a hidden field in the form, but it is not secure since anyone can edit it and post the wrong id.

Please let me know, if you have any solution.

Last updated 3 years ago.
0

Use a hidden from input then check to make sure if the given id is valid.

$channel = Channel::find(Input::get('channel_id');

if (!$channel)
    throw new NotFoundHttpException ('channel not found);

if you want to restrict what users can edit the a specific channel the use filters.


Route::post('/channels',['before'=>'has_access', 'uses'=>'ChannelController@update']

Then of course you would have to define the has_access filter however you want. Check out http://laravel.com/docs/4.2/routing do figure out how to do filters.

0

Sign in to participate in this thread!

Eventy

Your banner here too?

Zianwar zianwar Joined 17 Jul 2014

Moderators

We'd like to thank these amazing companies for supporting us

Your logo here?

Laravel.io

The Laravel portal for problem solving, knowledge sharing and community building.

© 2025 Laravel.io - All rights reserved.