F
Filament15mo ago
Crater

Deny access to registry queries if it is not in your registry

If I only have access to Store 1 in the listing with getTableQuery which will be app/store/1 when viewing or editing If I manually put app/store/2 in the path I still have access, how can I deny access other than 1 or the one I have registered as a user?
3 Replies
awcodes
awcodes15mo ago
The viewAny method on a policy will help you here.
Crater
CraterOP15mo ago
hi @awcodes , Currently it is like this, and I use it to shield roles and permissions, what should I change? 
   public function viewAny(User $user)
    {
        return $user->can('view_any_store::stores');
    }
   public function viewAny(User $user)
    {
        return $user->can('view_any_store::stores');
    }
awcodes
awcodes15mo ago
Sounds like you have a hole in your auth. If you can’t scope the query to the user the you need more authorization guards on your user. Seems like there’s nothing in place to scope the user to store 1 or store 2. So, right now you are saying that any user can view any store, but your not saying which stores they can view. Which would typically be handled as you tried in the eloquent query, but seems like there’s nothing on the user to indicate if they have permission for that specific store. So, somewhere you need a relationship between users and stores.
Want results from more Discord servers?
Add your server