rogarithm/knowledge_base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Restrict document edit/delete to owners and close public registration

Browse Source 
Adds DocumentPolicy gating update/delete to the creator (admins bypass via
before()), invokes $this->authorize() in DocumentEditor mount/save/delete,
applies can:update,document on the edit route, hides the edit button for
non-owners, and removes the open /register routes so accounts must be
provisioned via the admin panel.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Yutaka Kurosaki
2026-05-09 10:22:18 +09:00
parent 01a11328ec
commit 692f4d5492
5 changed files with 45 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/routes/web.php
+3 -1
View File
@@ -44,7 +44,9 @@
// 認証が必要なルート(より具体的なルートを先に定義)
Route::middleware('auth')->group(function () {
Route::get('/create', DocumentEditor::class)->name('create');
Route::get('/{document}/edit', DocumentEditor::class)->name('edit');
Route::get('/{document}/edit', DocumentEditor::class)
->middleware('can:update,document')
->name('edit');
});
// 公開ルート(動的ルートは最後に)