Use new middleware as discussed in chat.

Previousely, any user could update or delete any menu item. Permissions had no effect for api call.
AsgardCms · Feb 22, 2016 · 22b4a1f · 22b4a1f
1 parent d76be7b
commit 22b4a1f
Showing 1 changed file with 12 additions and 2 deletions.
diff --git a/Http/apiRoutes.php b/Http/apiRoutes.php
@@ -1,4 +1,14 @@
 <?php
 
-$router->post('menuitem/update', ['as' => 'api.menuitem.update', 'uses' => 'MenuItemController@update']);
-$router->post('menuitem/delete', ['as' => 'api.menuitem.delete', 'uses' => 'MenuItemController@delete']);
+$router->group(['prefix' => '/menuitem'], function () {
+    post('/update', [
+        'as' => 'api.menuitem.update',
+        'uses' => 'MenuItemController@update',
+        'middleware' => 'can:menu.menuitem.update',
+    ]);
+    post('/delete', [
+        'as' => 'api.menuitem.delete',
+        'uses' => 'MenuItemController@delete',
+        'middleware' => 'can:menu.menuitem.destroy'
+    ]);
+});