I have a API url as:
api/classes/{id}
and I have a Class Controller and a show() function defined inside it as below:
public function show($id)
{
$classes = $this->classesService->findById($id);
if ($classes) {
return response()->json(['message' => 'Success', 'success' => true, 'status' => 200, 'data' => $classes]);
} else {
return response()->json(['message' => 'Not found', 'success' => false, 'status' => 404, 'data' => null]);
}
}
Now the question is, if a user is limited to see only in the class he is registered, which I am getting the class_id from the user.info in the front end and pass it to the API call URL, but I was wondering if user may call this api and change the class_id then he may be able to see every class, how to make sure he can only access his class id he belongs to?
My next idea was to initialize the class id from back-end like this:
public function show($id)
{
$classes = $this->classesService->findById(Auth::user()->student->team->class_id);
if ($classes) {
return response()->json(['message' => 'Success', 'success' => true, 'status' => 200, 'data' => $classes]);
} else {
return response()->json(['message' => 'Not found', 'success' => false, 'status' => 404, 'data' => null]);
}
}
but, this is making me problem if I wanna later check each class info from and admin perspective, as admins can see every class details... so this way admin has no class id and it shows null...
Any idea how to achieve such thing that a user can see only his class and admin can see all classes
Will this require two different API call, two functions?