To be clear, you're asking about how to prevent this scenario:

I have, for example, a private photo at http://myapp/private/photo/5

You uploaded a photo at http://myapp/private/photo/6

You shouldn't be allowed to view my photo at http://myapp/private/photo/5

Like most OWASP things there are a few approaches to fixing the problem.

1. Only rely on known authentication data, as provided in Auth::user(). Don't use any other request parameters to look up the User's ID.

2. Use relations to limit any queries to records that the current user has access to.

In your controller, instead of doing:

$photo = Photo::find($id)

Do this:

## In your User model:
…
	public function photos()
	{
		return $this->hasMany('App\Photos');
	}
…

## Then, in your controller:

public function view($id) {
     $photo = Auth::user()->photos()->find($id)
}

I'm not sure how to translate that into L5-style dependency injection, but I think the idea is clear. Hope that helps!

Dear Phred, Thanks a lot that makes sense. I am currently using L4. I haven't used any relations for now, I controlling user specific data using Auth::user(). If I am correct, when a user is logged a session will be created and all the columns from the users table will be assigned to the session.

Hi all,

I too read the OWASP top ten guide and successfully ticked off all of the security vulnerabilities of an app I was building which needed to be really secure... apart from the Direct Object Referencing. As swappdeveloper I trawled Google for a Laravel friendly way before giving up with other tasks. I have revisited this issue today and have implemented a successful Middleware solution with Laravel 5.

In short a user is authenticated to the app through a login form, the logged in URI contains the users company name and is checked against the authenticated users company relationship name. This means if a user tries to enter a different company name when logged in it will be checked and if it doesn't belong to them they are redirected eg:

# www.theapp.com/@CompanyShortName/dashboard

The Middleware that runs on the request after the authentication process looks like this:

class AreYouAllowed {

    public function handle($request, Closure $next)
    {
        if (
        $request->route('companyShortName')->short_name != 
        $request->user()->company->short_name
        )
        {
            return redirect('logout');
        }
        return $next($request);
    }
}

While I am using route model binding with a route parameter of a company name the premise would still be the same for users and their other related resources.

I hope this might help someone with a problem I couldnt seem to find an obvious solution for.

Thanks, Thatdoorsajar