F
Filament2y ago
damms005

Resource policy issue

From the docs, edit route should only check the update() policy method. Now, I have this weird issue of it checking the viewAny() method. What may I be doing wrong? StaffPolicy.php 
<?php

namespace App\Policies;

use App\Staff;
use App\User;
use Illuminate\Auth\Access\HandlesAuthorization;

class StaffPolicy
{
    use HandlesAuthorization;

    public function viewAny(User $user)
    {
        dd('1');
        return $user->can('edit staff permissions');
    }

    public function create(User $user)
    {
        dd('3');
        return false;
    }

    public function update(User $user, Staff $staff)
    {
        dd('4');
        if ($user->id === $staff->user_id) {
            return true;
        }

        return $user->can('edit staff permissions');
    }
}
<?php

namespace App\Policies;

use App\Staff;
use App\User;
use Illuminate\Auth\Access\HandlesAuthorization;

class StaffPolicy
{
    use HandlesAuthorization;

    public function viewAny(User $user)
    {
        dd('1');
        return $user->can('edit staff permissions');
    }

    public function create(User $user)
    {
        dd('3');
        return false;
    }

    public function update(User $user, Staff $staff)
    {
        dd('4');
        if ($user->id === $staff->user_id) {
            return true;
        }

        return $user->can('edit staff permissions');
    }
}
StaffTest.php 
<?php

use App\Filament\Resources\StaffResource;
use Symfony\Component\HttpKernel\Exception\HttpException;
use App\Filament\Resources\StaffResource\RelationManagers\UserModelRelationManager;
use Spatie\Permission\Models\Permission;

beforeEach(function () {
    Artisan::call('db:seed', ['--class' => 'PermissionSeeder']);
    $user = addStaff();
    $this->user = $user;
    $this->actingAs($this->user);
});


it('allows user to view self\'s staff resource', function () {
    $this->get(StaffResource::getUrl('edit', [
        'record' => $this->user->staffModel
    ]))
        ->assertSuccessful();
});
<?php

use App\Filament\Resources\StaffResource;
use Symfony\Component\HttpKernel\Exception\HttpException;
use App\Filament\Resources\StaffResource\RelationManagers\UserModelRelationManager;
use Spatie\Permission\Models\Permission;

beforeEach(function () {
    Artisan::call('db:seed', ['--class' => 'PermissionSeeder']);
    $user = addStaff();
    $this->user = $user;
    $this->actingAs($this->user);
});


it('allows user to view self\'s staff resource', function () {
    $this->get(StaffResource::getUrl('edit', [
        'record' => $this->user->staffModel
    ]))
        ->assertSuccessful();
});
Console output: 
❯ ./vendor/bin/sail pest tests/Feature/RolesAndPermissions/StaffTest.php --filter "allows user to view self's staff resource"
"1" // app/Policies/StaffPolicy.php:21 <- the dd() code
❯ ./vendor/bin/sail pest tests/Feature/RolesAndPermissions/StaffTest.php --filter "allows user to view self's staff resource"
"1" // app/Policies/StaffPolicy.php:21 <- the dd() code
4 Replies
Dan Harrin
Dan Harrin2y ago
viewAny controls access to the whole resource it checks that first, then it checks update
damms005
damms005OP2y ago
Alrighty. Thanks Dan Is there any way I can limit checks to only the required policy? I want members of staff to be able to view and edit own staff resource, not viewAny (i.e. not view list of members of staff)
krekas
krekas2y ago
Adjust query accordingly Or add global scope
damms005
damms005OP2y ago
Thank you Krekas
Want results from more Discord servers?
Add your server