Update CollectionController

app/Http/Controllers/CollectionController.php

@@ -63,18 +63,18 @@ class CollectionController extends Controller
 
     public function store(Request $request, $id)
     {
-        abort_if(!Auth::check(), 403);
+        abort_if(!$request->user(), 403);
         $this->validate($request, [
             'title'         => 'nullable|max:50',
             'description'   => 'nullable|max:500',
             'visibility'    => 'nullable|string|in:public,private,draft'
         ]);
 
-        $profile = Auth::user()->profile;   
-        $collection = Collection::whereProfileId($profile->id)->findOrFail($id);
-        $collection->title = e($request->input('title'));
-        $collection->description = e($request->input('description'));
-        $collection->visibility = e($request->input('visibility'));
+        $pid = $request->user()->profile_id;
+        $collection = Collection::whereProfileId($pid)->findOrFail($id);
+        $collection->title = strip_tags($request->input('title'));
+        $collection->description = strip_tags($request->input('description'));
+        $collection->visibility = $request->input('visibility');
         $collection->save();
 
         return CollectionService::setCollection($collection->id, $collection);
@@ -82,7 +82,7 @@ class CollectionController extends Controller
 
     public function publish(Request $request, int $id)
     {
-        abort_if(!Auth::check(), 403);
+        abort_if(!$request->user(), 403);
         $this->validate($request, [
             'title'         => 'nullable|max:50',
             'description'   => 'nullable|max:500',
@@ -94,8 +94,8 @@ class CollectionController extends Controller
             abort(404);
         }
         $collection->title = e($request->input('title'));
-        $collection->description = e($request->input('description'));
-        $collection->visibility = e($request->input('visibility'));
+        $collection->description = strip_tags($request->input('description'));
+        $collection->visibility = strip_tags($request->input('visibility'));
         $collection->published_at = now();
         $collection->save();
         return CollectionService::setCollection($collection->id, $collection);
@@ -103,30 +103,32 @@ class CollectionController extends Controller
 
     public function delete(Request $request, int $id)
     {
-        abort_if(!Auth::check(), 403);
-        $user = Auth::user();
+        abort_if(!$request->user(), 403);
+        $user = $request->user();
 
         $collection = Collection::whereProfileId($user->profile_id)->findOrFail($id);
         $collection->items()->delete();
         $collection->delete();
 
+        CollectionService::deleteCollection($id);
+
         if($request->wantsJson()) {
             return 200;
         }
 
-        CollectionService::deleteCollection($id);
-
         return redirect('/');
     }
 
     public function storeId(Request $request)
     {
+        abort_if(!$request->user(), 403);
+
         $this->validate($request, [
             'collection_id' => 'required|int|min:1|exists:collections,id',
-            'post_id'       => 'required|int|min:1|exists:statuses,id'
+            'post_id'       => 'required|int|min:1'
         ]);
         
-        $profileId = Auth::user()->profile_id;
+        $profileId = $request->user()->profile_id;
         $collectionId = $request->input('collection_id');
         $postId = $request->input('post_id');
 
@@ -151,6 +153,7 @@ class CollectionController extends Controller
         }
 
         $status = Status::whereScope('public')
+            ->whereProfileId($profileId)
             ->whereIn('type', ['photo', 'photo:album', 'video'])
             ->findOrFail($postId);
 
@@ -277,12 +280,13 @@ class CollectionController extends Controller
 
     public function deleteId(Request $request)
     {
+        abort_if(!$request->user(), 403);
         $this->validate($request, [
             'collection_id' => 'required|int|min:1|exists:collections,id',
-            'post_id'       => 'required|int|min:1|exists:statuses,id'
+            'post_id'       => 'required|int|min:1'
         ]);
         
-        $profileId = Auth::user()->profile_id;
+        $profileId = $request->user()->profile_id;
         $collectionId = $request->input('collection_id');
         $postId = $request->input('post_id');
 

app/Services/CollectionService.php

@@ -121,6 +121,8 @@ class CollectionService
 			'published_at' => $collection->published_at,
 		];
 		Cache::put(self::CACHE_KEY . 'get:' . $id, $res, 86400);
+		$res['avatar'] = $account['avatar'];
+		$res['username'] = $account['username'];
 		$res['post_count'] = self::count($id);
 		return $res;
 	}

routes/api.php

@@ -114,6 +114,10 @@ Route::group(['prefix' => 'api'], function() use($middleware) {
 			Route::get('accounts/{id}', 'CollectionController@getUserCollections')->middleware($middleware);
 			Route::get('items/{id}', 'CollectionController@getItems')->middleware($middleware);
 			Route::get('view/{id}', 'CollectionController@getCollection')->middleware($middleware);
+			Route::post('add', 'CollectionController@storeId')->middleware($middleware);
+			Route::post('update/{id}', 'CollectionController@store')->middleware($middleware);
+			Route::delete('delete/{id}', 'CollectionController@delete')->middleware($middleware);
+			Route::post('remove', 'CollectionController@deleteId')->middleware($middleware);
 		});
 
 		Route::group(['prefix' => 'direct'], function () use($middleware) {