I'm using Laravel 5.4 and have a Model called Order. To test things I've created two users and two Orders, each user having one Order.
I've jsut seen that I'm able to retrieve the order of someone who is not my current user. I'm retrieving a lsit of a users own orders using Auth::user()->orders. But in order to show the details of a specific order I do this:
/**
* Display the specified resource.
*
* @param int $id
* @return \Illuminate\Http\Response
*/
public function show($id)
{
$order = CustomerOrder::findOrFail($id)->with('products')->get();
return view('order.show')
->with('order', $order);
}
What am I missing out here? Is there a middleware or something to tell the application to only allow access to orders associated with the authenticated user?
via Scarwolf
