User being able to see resource in the navigation even without permission
(I'm using bezhansalleh's shield plugin)
I'm testing with two users: one (the super_admin one) has every permission, the other just a few of them. The second user does not have the viewAny permission neither the specific permission to see the resource. (If I run Policy->viewAny($second_user) it returns false)
Even though the user does not have the permission to see the resource, it shows on the menu. One thing that I noted is that this behavior only happens with resources, individual pages are properly hidden from the user. I tested with two different resources and it happens to both of them.
I'm kinda new to filament and laravel in general, so I may be missing something, but I followed the plugin's (shield) instructions and everything else is working fine (afaik) besides this. I'm not sure on what to share to help, but just ask me anything and I'll send asap
edit: formating; typo
9 Replies
I figured out the problem 😆
tl;dr:
You shouldn’t set the policy to false.
It sounds like your permissions are off.
what do you mean by my permissions are off?
A policy will check if the authenticated user can do something on the model level. So an authenticated user has authorization to view any model associated with the resource.
It you need to limit the data shown in the table then you also need to apply a scope to the table query.
I see, it makes sense
That's why the policy check for the model of my resource inside the helpers.php was returning null
Do I have to generate policies for every resource's model?
Also, understand that roles and permissions are 2 completely separate things.
Yes.
Solution
If a model needs authorization its needs a policy.
You can also use gates to bypass policies. Ie a user has a role of super admin.
Gonna keep that in mind, thank you! Your example of the data shown in the table gave cleared some confusion that I had