I'm learning Laravel 5 and I make a membership with Laravel auth:
php artisan make:auth ,
php artisan make:controller bilgilerController --resource
It shows the area public but editing and updating area it must be private, so if I'm logged in to my account and change data, my profile is edited and not someone else's profile.
My id 1 and my edit area: xxxxx/bilgiler/1/edit
but if I change the URL by hand xxxx/bilgiler/2/edit, I can change the information..
I do __construc for bilgilerController and add $this->middleware('auth',['only' => ['edit','update','destroy']]; but when I'm not logged in to someone elses account, I cannot access the edit page. But again, with the 1 id account, I can access other users' edit page.
You just checking that the user is authorized. But you don't check permissions. So you can create custom Middleware, or just add simple check.
public function update($id)
{
if(Auth::user()->id != $id)
{
// return Access error here
}
// Update profile here
}