From 22b4a1f79f8fa8d70ba4286b234b8aa6e7c3be50 Mon Sep 17 00:00:00 2001
From: Michael Ruoss <michael.ruoss@ufirstgroup.com>
Date: Mon, 22 Feb 2016 17:57:53 +0100
Subject: [PATCH] Use new middleware as discussed in chat.

Previousely, any user could update or delete any menu item. Permissions had no effect for api call.
---
 Http/apiRoutes.php | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/Http/apiRoutes.php b/Http/apiRoutes.php
index 7b31049..102d493 100644
--- a/Http/apiRoutes.php
+++ b/Http/apiRoutes.php
@@ -1,4 +1,14 @@
 <?php
 
-$router->post('menuitem/update', ['as' => 'api.menuitem.update', 'uses' => 'MenuItemController@update']);
-$router->post('menuitem/delete', ['as' => 'api.menuitem.delete', 'uses' => 'MenuItemController@delete']);
+$router->group(['prefix' => '/menuitem'], function () {
+    post('/update', [
+        'as' => 'api.menuitem.update',
+        'uses' => 'MenuItemController@update',
+        'middleware' => 'can:menu.menuitem.update',
+    ]);
+    post('/delete', [
+        'as' => 'api.menuitem.delete',
+        'uses' => 'MenuItemController@delete',
+        'middleware' => 'can:menu.menuitem.destroy'
+    ]);
+});