I have form like this
<form action="{{ url('/reviews/delete', ['id' => $review->id]) }}"method="POST">
{{ method_field('DELETE') }}
{!! csrf_field() !!}
<a class="delete right-button"> <i class="fa fa-trash-o" aria-hidden="true"></i> </a>
</form>
When I use inspect I see the id and if I change it I can delete different record depends on which id I fill into inspection. How to avoid this?
You can check in the controller like so
abort_if($user->id !== $review->user_id, 404)
personally I like using policies https://laravel.com/docs/5.6/authorization#writing-policies
$this->authorize('delete', $review);
The thing is that HTML already renders the form and when you submit it, request reads the URL inside the action and goes there, so there is no 'real' answer on how to prevent it, but you can put some validation in the FormRequest.
If you want to go further you can create Model Policy and check if the review belongs to the user which is trying to remove it, or some other kind of validation.
Related
Form which uses POST method:
<div>
<form action="{{ route('post.store') }}" method="POST">
<input type="text" name="name">
<input type="text" name="text">
<button type="submit">Submit</button>
</form>
#foreach ($comments as $comment)
{{ $comment->text }}
Reply
#endforeach
</div>
Array of $comments is being returned when the view itself is returned.
Basically, I am intrested if there is a way to append $comment->id to the data that will be sent to server on Submit button click using Laravel Blade or AlpineJS, but without creating any additional functions between <script> tags? I mean, is it possible to do something like this: Reply?
EDIT:
I expressed myself wrongly. I don't want to append new id every time Reply is clicked, but to overwrite corresponding property in data which is going to be sent to server when Submit button is clicked with the $comment->id for which Reply was clicked for.
I assume you are using Laravel Resource Controller
Not sure I totally understand why you want to send all comment ids when submitting the form but when calling the route post.store you should better send the post id
<form action="{{ route('post.store', ['post' => $post]) }}" method="POST">
If you want to get all comment id and have proper model relationships set up in your models you can get all comments for a post in your controller.
To send a specific id in your form create a new <input name="comment_id" value=""> and let that field be populated.
Odd question here. Im using the default Auth::routes(['verify' => true]); In Laravel 6. So I register ( Custom registration form ) and all works fine ( added to database etc ) then I am taken to the verification page where it has an email link to resend. When I click this I get:
The GET method is not supported for this route. Supported methods: POST.
The View has this named routed in the link route('verification.resend')
As you can see here. Verify resend is a POST route. So GET method is not allowed. So it should be a form Post instead.
If you are using blade something like this will get you there.
<form method="POST" action="{{ route('verification.resend')) }}">
</form>
Because in laravel 6+ they added this route as a post so you can do it by below code
<a onclick="event.preventDefault(); document.getElementById('email-form').submit();">{{ __('click here to request another') }}
</a>.
<form id="email-form" action="{{ route('verification.resend') }}" method="POST" style="display: none;">
#csrf
</form>
I have this on my blade file:
{{ Form::open(['route' => 'my_route_name']) }}
<button type="submit" class="btn btn-sm btn-success">
<i class="fa fa-file-excel-o" aria-hidden="true"></i> Download
</button>
{{ Form::hidden('my_ids', $my_ids) }}
{{ Form::close() }}
Checking on the chrome's developer mode, the value of my hidden textbox named my_ids is:
[1,2,3,4,5,6]
Upon clicking the Download button, it goes on my controller:
$results= Model::whereIn('id', $request->my_ids)->get();
This is where I am getting an error.
DD-ing dd($request->my_ids) on my controller gives me "[1,2,3,4,5,6]".
However, if I just put the values directly on the eloquent query like below, it would work.
$results= Model::whereIn('id', [1,2,3,4,5,6])->get();
Am I missing something here?
Your dd shows that $request->my_ids is a string, therefore you must parse it before you use it as array.
Try
$results= Model::whereIn('id', json_decode($request->my_ids))->get();
I'm making a College Administration website where a professor can log in.
I have a dashboard, where my dynamically generated button should be placed: (right now it just has dummy buttons!)
Generated by this view file, which I will have to modify soon:
<div class="container d-flex flex-column align-items-center justify-content-center">
<h1>IA DASHBOARD</h1>
<br>
<div class="grid2">
SUBCODE 1</button>
SUBCODE 2</button>
SUBCODE 3</button>
</div>
Tables in the Database:
the table iamarks contains the data (student info, and marks) that is to be displayed after /subcode/{subcode} narrows it down to records of just the students that are in the class assigned to current logged-in professor.
classroom_mappers is a table used to map a professor to a classroom with a subject. It makes sure that one classroom only has one professor for a particular subject.
the routes currently in my web.php:
route::get('/ia', 'IAController#show')->middleware('auth');
Route::get('/subcode/{subcode}', 'IAController#showTable')->middleware('auth');
...and these are the methods inside my controller:
//shows buttons to the user:
public function show(){
$subcodes = DB::table('classroom_mappers')
->select('subcode')
->where([['PID','=', auth()->user()->PID]])
->get();
return view('ia',compact('subcodes'));
}
//when user clicks a button, subcode is to be generated and a table is to be shown:
//it works, I tried it by manually typing in subcode value in URL.
public function showTable($subcode){
$sem = DB::table('classroom_mappers')
->where([['PID','=', auth()->user()->PID],
['subcode','=',$subcode]])
->pluck('semester');
$division = DB::table('classroom_mappers')
->where([['PID','=', auth()->user()->PID],
['semester','=',$sem],
['subcode','=',$subcode]])
->pluck('division');
$data = DB::table('iamarks')
->where([['semester','=',$sem],
['division','=',$division],
['subcode','=',$subcode]])
->get();
return view('subcode',compact('data'));
}
My Problem:
To be able to generate the {subcode} in the URL dynamically, I want to create buttons in the dashboard using the data $subcodes. The controller hands over the $subcodes (an array of subject codes which belong to logged in professor) which are to be made into buttons from the show() method.
The buttons should have the name {subcode} and when clicked, should append the same subject code in the URL as {subcode}.
How do I make use of $subcodes and make the buttons dynamically?
How do I make sure the buttons made for one user are not visible to another user?
I managed to find the solution, thanks to Air Petr.
Apparently, you can't nest blade syntax like {{some_stuff {{ more_stuff }} }} and it generates a wrong php code. I modified the solution by Air Petr to:
<div class="grid2">
#foreach ($subcodes as $subcode)
<a href="<?php echo e(url('/subcode/'.$subcode->subcode));?>">
<button class="btn btn-outline-primary btn-custom-outline-primary btn-custom">
<?php
echo e($subcode->subcode);
?>
</button>
</a>
#endforeach
</div>
It generates the buttons perfectly. The buttons for one user are not visible to another, since I'm using PID constraint in a query (['PID','=', auth()->user()->PID]).
Pass the passcodes array to view:
$subcodes = []; // Array retrieved from DB
return view('subcode', compact('subcodes'));
And in subcode.blade.php, loop through each subcode:
<div class="grid2">
#foreach($subcodes as $subcode)
<a href="{{ url('/subcode/' . $subcode->subcode) }}">
<button class="btn btn-outline-primary btn-custom-outline-primary btn-custom">SUBCODE {{ $subcode->subcode }}</button>
</a>
#endforeach
</div>
You can loop your codes to create buttons. Something like this (it's for "blade" template engine):
<div class="grid2">
#foreach ($subcodes as $subcode)
{{ $subcode->subcode }}</button>
#endforeach
</div>
Since you're using PID constrain in a query (['PID','=', auth()->user()->PID]), you'll get buttons for that specific PID. So there's no problem.
I want to delete a record but I haven't been successful, apparently my code is wrong. Solutions i came across say i have to use a post in my form method and add the method_field helper. This would mean my view having a form in it, i want to avoid this if possible. Is it then possible to do my delete another way. Below is my code
snippet of my view
<div class="backbtn">
<a class="btn btn-savvy-delete" href="/tasks/{{$task->id}}" data-toggle="tooltip" title="Delete"><i class="fa fa-trash-o" aria-hidden="true"> Delete</i></a>
</div>
<div class="panel-body">
<p><strong>Owner:</strong> {{ ucfirst($task->employee->firstname) }} {{" "}} {{ ucfirst($task->employee->lastname) }}</p>
<p><strong>Task:</strong> {{ $task->title }}</p>
<p><strong>Description:</strong> {{ $task->description }}</p>
</div>
TaskController
public function destroy($id)
{
Task::destroy($id);
Session::flash('status', "Task was successfully deleted.");
return redirect('/tasks');
}
web.php
Route::delete('/tasks/{id}', 'TaskController#delete');
Im not sure what error you are getting, but i can point out a few things. For one use Route::get instead of ::delete, you are calling it via a link not a form method.
Secondly to delete follow what the laravel doc says here eg.
$task = App\Task::find(1);
$task->delete();