Validation of user input with a request in Laravel: authorization

In one of our previous blogs, we discussed the options you have for the validation of user input. The most simple option is to do the validation directly in the controller. A more sophisticated approach is to use a ‘form request’. When using a request, the logic for the validation is separated from the code that handles the request and for example saves the input in the database. This leads to much cleaner code.


As described in the previous blog, a request can easily be created via the command line. By default a request comes with two methods: an authorize method and a rules method. The rules method was the subject of the other blog, but the authorize method was skipped.
However, the authorize method is extremely powerfull and deserves a post on its own.

Imagine the following situation: You have an online portal in which users are allowed to upload photo’s for a personal photobook of their kids. Obviously, they should only be able to upload photo’s for their own kids, not for kids of other users.

Using Laravel’s middleware, we can easily assure that the user is signed in, so that the upload route is only accessible to users that signed in. In this case we need to go one step further, we have to avoid that users with bad intensions upload content to someone elses photobook. The authorize method of the form request can be used for this case,

Middleware or Request?

It may be a bit tricky to decide which part of the logic should be written as middleware and which code should be in the authorize function of the request. Theoretically, you can write middleware which handles the whole validation, including the check whether a user is uploading a photo to it’s own account. However, changes are that you have to write separate middleware foreach individual route, because each route may have soms very specific details.

As a rule of thumb, I use middleware only to determine whether a user has access to a specific route. So in this example, the ‘auth’ middleware is applied to the route that handles the photo upload: if a user is signedin, the user has permissions to upload a photo and has access to the route. In the authorize function of the request, more detailed logic is written, which checks whether the user is not cheating and trying to upload to someone elses account.

In this example, the authorize method of the request contains the following code:

* Determine if the user is authorized to make this request.
* @return bool
public function authorize()
   $kidId = Request::get('kid_id');

   $ownKid = Auth::user()->kids()->where('id',$kidId)->first();

   if ($ownKid) {
      return true;

   return false;

The ‘kid_id’ is retrieved from a hidden form field. We check wether the user that is signed in has a kid with the id that wat submitted through the form. If yes, true is returned and the request proceeds. If not, the user will get a ‘forbidden’ error. This error can be catched, but this is beyond the scope of this blog.

Next, when a user is authorized to make the request, the rules function will be applied to the request to check whether the submitted input has the correct format. This is discussed in more detail in this blog.


By using the authorize method of a form request, you can easily make sure that users only perform actions which they are allowed to do.

Mijn Twitter profiel Mijn Facebook profiel
Leonie Derendorp Webdeveloper and co-owner of PLint-sites in Sittard, The Netherlands. I love to create complex webapplications using Laravel! All posts
View all posts by Leonie Derendorp

Leave a Reply

Your email address will not be published. Required fields are marked *