How do I prevent other users from high jacking the HTTP request payload as other users?

I have

a laravel app with the route

Route::put('/api/{deviceMac}/access/update','DeviceController@update');

rule

If user A have deviceMac 000000000000, should only be making a PUT to

http://www.app.com/api/000000000000/access/update
{deviceMac:000000000000, access: true}

If user B have deviceMac 111111111111, should only be making a PUT to

http://www.app.com/api/111111111111/access/update
{deviceMac:111111111111, access: true}

User A should not be able hijacking the route update of other users

hijacking

User A should have access to 000000000000 only,

Right now, User A can tweak the HTTP request and make a PUT as User B

http://www.app.com/api/111111111111/access/update
{deviceMac:111111111111, access: false}

---

Questions

How do I prevent other users from high jacking the request payload as other users ?

Should I adjust my middleware to take care of this issue ?

---

I'm open to any suggestions at this moment.

Any hints/suggestions / helps on this be will be much appreciated!

via Chebli Mohamed