MessagesController and routes: can you help fix what my Breeze users see ?

[StAwN74]

Hi,
After checking Laravel Messenger examples here, I checked my routes and noticed an issue.
It works like this: I use Breeze, and my Dashboard header (aka my resources\views\layouts\navigation.blade.php) includes a 'Messages' link towards Messages index (see Routes below).

Issue: After log in, a user can display any thread it's NOT participating in, by typing myLaravelProject/messages/5 for example, even if it is not a 'Participant' of the thread having id = 5.

Note: I installed Breeze using Laravel docs (https://laravel.com/docs/9.x/starter-kits#laravel-breeze) and Laravel Messenger using ReadMe (https://github.com/cmgmyr/laravel-messenger#installation-laravel-5x).
Laravel version: 8.83.4

I must say it doesn't help that the default install gives us demo files which are different than the examples here.
#feelsbadman

Thanks
Stawn

Routes:
Route::group(['middleware' => 'auth', 'prefix' => 'messages', 'as' => 'messages'], function () { Route::get('/', [MessagesController::class, 'index']); Route::get('create', [MessagesController::class, 'create'])->name('.create'); Route::post('/', [MessagesController::class, 'store'])->name('.store'); Route::get('{thread}', [MessagesController::class, 'show'])->name('.show'); Route::put('{thread}', [MessagesController::class, 'update'])->name('.update'); Route::delete('{thread}', [MessagesController::class, 'destroy'])->name('.destroy'); });

MessagesController looks like:

namespace App\Http\Controllers;

use Carbon\Carbon;
use App\Models\User;
use Illuminate\Http\Request;
use Cmgmyr\Messenger\Models\Thread;
use Cmgmyr\Messenger\Models\Message;
use Illuminate\Support\Facades\Auth;
use Illuminate\Support\Facades\Session;
use Cmgmyr\Messenger\Models\Participant;
use Illuminate\Database\Eloquent\ModelNotFoundException;

class MessagesController extends Controller
{
    /**
     * Show all of the message threads to the user.
     *
     * @return mixed
     */
    public function index()
    {
        $threads = Thread::forUser(Auth::id())
            ->withCount('messages')
            ->latest()
            ->get()
            ->reject(function ($value) {
                return $value->messages_count == 1 && $value->creator() == Auth::user();
            });

        return view('messenger.index', compact('threads'));
    }

    /**
     * Shows a message thread.
     *
     * @param $id
     * @return mixed
     */
    public function show(Thread $thread)
    {
        $thread->markAsRead(Auth::id());

        return view('messenger.show', compact('thread'));
    } (...)
}```

[StAwN74]

Ok, fixed, I decided to add rules in my MessagesController at show() function. I must say this is kinda ugly that by default, anyone can type messages/{id} to read messages not meant to him/her...
Here's the fix:

    /**
     * Shows a message thread.
     *
     * @param $id
     * @return mixed
     */
	public function show(Thread $thread)
    {
        //$thread->markAsRead(Auth::id());
		$breezeUserId_ex = (int)auth()->user()->id;
		$threadsRestrict = \Cmgmyr\Messenger\Models\Participant::where('user_id', '=', $breezeUserId_ex)->orderBy('id', 'DESC')->get();
		$judge = 0;
        foreach ($threadsRestrict as $idNew)
		{
			if ($idNew->thread_id == $thread->id)
			{
				$judge = 1;
				break;
			}
		}
        
        if($judge == 1) {
			$thread->markAsRead(Auth::id());
            return view('messenger.show', compact('thread'));
        }
        else
            return redirect()->route('messages')->with('success', 'You cannot read those.');
    }