I'm using Laravel 8, and I have this situation. Only users with the owner role can update their employees. I have one table for both owners, managers, and employees, and its structure is like the following.
| id | company_id | role_id | other_fields |
|---|
I know how to give the owner or manager the authorization to modify employee data and block users who are not part of that particular company from accessing other companies' pages.
However, I would not want the employees' ids to appear on the address to avoid a 404 page being returned after hypothetical manipulations by the user. What I need is something like the following.
my-domain.myapp/en/edit-employee/1
will become like this
my-domain.myapp/en/edit-employee/
But point precisely to that employee's edit page.
How can I pass the employee id to the controller without passing it through the route and seeing the right employee on the edit page?
You can send it as a post parameter in the request body, something like:
$response = Http::update('http://example.com/en/edit-employee/', [
'user_id' => '12',
]);
and then you can retrieve the request body like
class DemoController extends Controller
{
public function update(Request $request)
{
$name = $request->input('user_id');
}
}
All that being said, I see no problem in doing it the way you are doing it right now. After all, if a user enters a random id he will not get access if he is not authorized to, and if the id doesn't exist at all there is no harm in showing a 404 page (or redirect the user to another route).