Validate that toOne relationship belongs to user #315
Description
Hello everyone, I'm stuck trying to validate a request for a model named OrderDetail (OrderDetails\OrderDetailSchema, OrderDetails\OrderDetailRequest); the related toOne model order contains column user_id;
my thoughts where that I could use Rule::exists for this...
I'm using a global scope on both Order and OrderDetail that prevent authenticated users to check for other user's orders. Server serving method looks like this...
if (Auth::check())
{
Models\Order::addGlobalScope(function (Builder $query) {
$query->where('user_id', '=', Auth::id());
});
Models\OrderDetail::addGlobalScope(function (Builder $query) {
$query->whereHas('order', function (Builder $q) {
$q->where('user_id', '=', Auth::id());
});
});
}
The scopes on their own do not allow some-authenticated user to create order_details with order
attached to another-user as the response is 404 relationship not found...
However if the globalScopes where not in place I'd like to receive a response 422 invalid order; which I thought I could make by adding the following to the rules method on the order detail request...
return [
... ,
'order' => [
Rule::exists('orders')->where(function ($q) {
$id = request('data.relationships.order.data.id');
$q->where('id', $id)->where('user_id', Auth::id());
}),
JsonApiRule::toOne(),
'required',
],
];
If I run:
DB::table('orders')->where('id',request('data.relationships.order.data.id'))->where('user_id',Auth::id())->exists() the response is always invalid order whether the result is true or false;