Laravel 4 Prevent Authenticated users from viewing other user profiles

Question

I am wondering how in laravel 4 the following is possible. I have a filter to check if a user is authenticate on all routes that have user/*. My filter works as it is suppose to but lets say that a user is logged in their url will look something like this user/id. How do I prevent an authenticated user from viewing another user?

Answer 1

In your Auth filter you can access the route parameter ('user/{id}') and can check logged in user's id with the id passed in the url like

Route::filter('auth', function($route)
{
    // get the id from rouqe
    $id = $route->getParameter('id');
    if( Auth::check() && Auth::user()->id != $id) {
        // not authenticated user, so access is denied
        return Redirect::to('/');
    }
});

Answer 2

If it is a blanket policy that a user can only view their own profile then could you just check that the id from user/{id} route matches the current user id from the login session, eg. in the profile controller something like:

public function getProfile($profile_id) {
    if (Auth::user()->id != $profile_id) {
        //this is not your profile - don't be nosey!
    } else {
        //have you got nothing better to do than look at yourself all day!
    }
}

Glen

Answer 3

another approach is to change your urls.. why have url like user/{id} ? just change it to for example

 user/profile

and inside the controller do something like:

$user = Auth::user();

that way the user just cant fake is id.. i only use urls with the id in the admin area where i need to edit some user:

/admin/{id}/edit