I have three Eloquent models for a recipe management application where User
has many cookbook
, cookbook
has many recipes
and so on (see below).
To authorize I'm using this policy:
public function view(User $user, Recipes $recipe) {
return $user->id === $recipe->cookbook->user_id;
Here is the controller:
public function show($id) {
$recipe = Recipes::find($id);
$this->authorize('view', $recipe);
return $recipe;
Testing this works fine, however I'm getting extra information in my response.
The response somehow gets assigned an extra object cookbook
. After print testing the problem seems to lie on the line $recipe->cookbook->user_id;
where if removed the result came to be as expected.
Am I overlooking something?
class User extends Authenticatable
use HasFactory, Notifiable, HasApiTokens;
protected $fillable = [
protected $hidden = [
protected $casts = [
'email_verified_at' => 'datetime',
public function cookbooks() {
return $this->hasMany('App\Models\Cookbook');
public function recipes() {
return $this->hasManyThrough('App\Models\Recipes', 'App\Models\Cookbook');
class Cookbook extends Model
use HasFactory;
protected $guarded = ['user_id'];
protected $fillable = [
protected $casts = [
'cookbook_shared_user' => 'string'
public function user() {
return $this->belongsTo('App\Models\User');
public function recipes() {
return $this->hasMany('App\Models\Recipes');
class Recipes extends Model
use HasFactory;
protected $guarded = ['cookbook_id'];
protected $fillable = [
public function cookbook() {
return $this->belongsTo('App\Models\Cookbook');
You're loading the relationship in your policy
, exactly where you said:
Now in your controller, you can change your return to:
return $recipe->setAppends([]);
That will remove your appends like cookbook
If you want more control you can use API Resources (Laravel way).