Task Manager: Completing CRUD Functionality in Laravel

Previously in this course, we covered Mastering Named Routes in Laravel for Maintainable Code to decouple our URLs from our view logic. In this lesson, we are finally tying the knot on our core CRUD (Create, Read, Update, Delete) cycle.

We’ve already built the foundation for displaying real database records and securing our application with user-scoped data. Now, we need to allow users to modify and remove those records while ensuring that no user can accidentally (or maliciously) touch data they don't own.

The CRUD Lifecycle: Beyond Creation

In web development, CRUD stands for Create, Read, Update, and Delete. While "Create" and "Read" are essential for showing data, "Update" and "Delete" are where the stakes get higher. When a user edits or deletes a task, we must ensure they are the owner of that task and that the incoming data is sanitized.

Implementing the Edit Flow

To edit a task, we need two components: a form to capture the new data and a controller method to persist it. Since we are using Route Model Binding, our controller action is clean and expressive.

In your TasksController, ensure your update method looks like this:

PHP
public function update(Request $request, Task $task)
{
    #6A9955">// Authorization: Ensure the user owns the task
    $this->authorize('update', $task);

    $validated = $request->validate([
        'title' => 'required|max:255',
        'description' => 'nullable|string',
    ]);

    $task->update($validated);

    return redirect()->route('tasks.index')->with('success', 'Task updated!');
}

By calling $this->authorize('update', $task), we lean on Laravel's policy system to check ownership before the database is ever touched. This is a critical step for data integrity.

Implementing the Delete Flow

Deletion is permanent, so it requires an extra layer of caution. We use the DELETE HTTP verb and a form with the @method('DELETE') directive to signal our intent to the router.

In your index.blade.php file, your delete button should look like this:

HTML
style="color:#808080"><style="color:#4EC9B0">form action="{{ route('tasks.destroy', $task->id) }}" method="POST">
    @csrf
    @method('DELETE')
    style="color:#808080"><style="color:#4EC9B0">button type="submit" onclick="return confirm('Are you sure?')">Deletestyle="color:#808080"></style="color:#4EC9B0">button>
style="color:#808080"></style="color:#4EC9B0">form>

The onclick handler provides a simple client-side safeguard, while the @method('DELETE') ensures our route matches the DELETE verb defined in routes/web.php.

Hands-on Exercise

1. Define the Destroy Route: Add Route::delete('/tasks/{task}', [TasksController::class, 'destroy'])->name('tasks.destroy'); to your web.php.
2. Add the Controller Method: In TasksController, add a destroy(Task $task) method that calls $task->delete() and redirects back to the index.
3. Refactor: Ensure your edit form uses the @method('PUT') or @method('PATCH') directive to handle the update request correctly.

Common Pitfalls

• Forgetting Authorization: Never assume a user has permission to edit or delete a record just because they have the URL. Always use policies or check the user_id column.
• Mass Assignment Vulnerabilities: If you don't define your $fillable array in your Task model, your update() call will fail or be insecure. Check Preventing Mass Assignment in Laravel if you run into issues.
• Missing CSRF Tokens: Deleting a record via a link (GET request) is a security risk. Always use a form with @csrf for state-changing actions.

Recap

We have successfully closed the loop on our Task Manager. By combining Route Model Binding with explicit authorization and proper HTTP verbs, we've built a robust system for managing user data. You now have a fully functional CRUD application that is secure, maintainable, and ready for more complex features.

Up next: We will dive into Database Relationships to associate our tasks with categories or projects, moving beyond flat data structures.