Securing Laravel

Securing Laravel

Share this post

Securing Laravel
Securing Laravel
Security Tip: Scoping Bindings
Copy link
Facebook
Email
Notes
More

Security Tip: Scoping Bindings

[Tip#23] Because who doesn't love to scope their bindings?

Stephen Rees-Carter
Jun 06, 2022
1
Share

šŸ‘‰ Looking to dive deeper into Laravel security? Check out Practical Laravel Security, my hands-on security course that uses interactive hacking challenges to teach you about how vulnerabilities work, so you can avoid them in your own code! šŸ•µļø

šŸ‘‰ When was your last security audit or penetration test? Book in a Laravel Security Audit and Penetration Test today! šŸ•µļø

If you use Laravelā€™s Implicit Route Bindings, youā€™ll most likely end up with a route that looks like this:

Route::get(
    '/projects/{project}/plans/{plan}', 
    function (Project $project, Plan $plan) {
        abort_unless($plan->project()->is($project), 404);

        // ...
    }
);

While itā€™s easy to validate that the Plan is owned by the Project, you still need to remember to add it1 to your action, and it can look a bit ugly.

Luckily for us, Laravel has our backs (yet again). There is a handy little method in Laravelā€™s Routing system called `scopeBindings()`, which we can use to tell Laravel to automatically scope implicitly bound models.

Check it out:

Route::get(
    '/projects/{project}/plans/{plan}', 
    function (Project $project, Plan $plan) {
        // ...
    }
)->scopeBindings();

Laravel will automatically attempt to load the ā€œchildā€ binding from a relationship on the ā€œparentā€ binding listed before it. In other words, in our example it will look for a matching Plan model from the plans relationship on the Project model. If the child binding isnā€™t found, itā€™ll throw a 404.

Securing Laravel is 100% reader-supported. Please consider subscribing to receive weekly Security Tips (like this one!), monthly In Depth articles, and to support my security work within the Laravel & PHP Community!

This is the same behaviour as our code above, but without that ugly `abort_unless()`.

The best bit is, since itā€™s a route method we can use it in groups too! This solves the ā€œforgetting to add itā€ problem, since youā€™ll typically group your routes and automatically add them into our scoped group.

Route::scopeBindings()
    ->group(function () {
        Route::get('/projects/{project}/plans/{plan}', ...);
        Route::get('/projects/{project}/plans/{plan}/edit', ...);
        Route::get('/projects/{project}/plans/{plan}/export', ...);
        // ...
});

Nice and simple, just the way we love it in Laravel!

1

Most all of the vulnerabilities Iā€™ve discovered have come about because the developer forgot to include a single line of code to perform authentication, authorisation, or validation. Usually with the exact line required already written for another action in the same controller.

1
Share

No posts

Ready for more?

Ā© 2025 Stephen Rees-Carter
Privacy āˆ™ Terms āˆ™ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More