Leveraging Laravel Scoped Resource Routes for Secure Nested Model Binding

When using nested resources in Laravel, ensuring that child resources remain bound to their parent is crucial for data integrity and security; Laravel’s scoped implicit model binding offers an elegant solution.

Scoped resource routes automatically limit the scope of nested model bindings to their parent, resulting in more secure applications and SEO‑friendly URLs.

To enable scoped routes, use the scoped method when defining a nested resource, for example:

use App\Http\Controllers\PhotoCommentController;

Route::resource('photos.comments', PhotoCommentController::class)->scoped([
    'comment' => 'slug',
]);

This definition creates a scoped nested resource accessible via URLs such as /photos/{photo}/comments/{comment:slug}.

Laravel infers the relationship name from the parent model (e.g., a Photo model has a comments relationship) and automatically scopes queries so that only comments belonging to the specified photo are retrieved.

In the controller, the method reflects this binding:

class PhotoCommentController extends Controller
{
    public function show(Photo $photo, Comment $comment)
    {
        // $comment is already scoped to $photo
        return view('comments.show', compact('photo', 'comment'));
    }
}

You can also customize the key used for retrieval, such as binding a Post model by its slug:

Route::resource('users.posts', PostController::class)->scoped([
    'post' => 'slug',
]);

A practical example is a blog where posts belong to categories. The routes, models, and controller are set up as follows:

// routes/web.php
Route::resource('categories.posts', CategoryPostController::class)->scoped([
    'post' => 'slug',
]);

// app/Models/Category.php
class Category extends Model
{
    public function posts()
    {
        return $this->hasMany(Post::class);
    }
}

// app/Models/Post.php
class Post extends Model
{
    public function category()
    {
        return $this->belongsTo(Category::class);
    }
}

// app/Http/Controllers/CategoryPostController.php
class CategoryPostController extends Controller
{
    public function show(Category $category, Post $post)
    {
        // $post is automatically scoped to $category
        return view('posts.show', compact('category', 'post'));
    }
}

With this configuration, a URL like /categories/tech/posts/laravel-scoped-routes automatically ensures that the "laravel-scoped-routes" post belongs to the "tech" category.

If a child resource does not belong to the expected parent, Laravel automatically returns a 404 response, eliminating the need for manual relationship checks in controller code.