F
Filament7mo ago
egmose5492dk

Only access to certain resulsts in resource - How do i limit that?

Hi, I´m working on a project, and really cant get my head around this issue. In my model, i have made a check, to see which entries the user can edit - That works like a charm, and the user is only able to see ones they can edit in the list. ´´´->query(static::getAuthorizedModelQuery())´´´´ But in the edit view, the user can basicly just change the ID in the URL and chenge everything. I have mad a policy, and thought i should look in the update function - But that removes the edit availablity completely. How do i achieve so the user only can edit the ones they have access to? 
    public function update(User $user, Marina $marina): bool
    {
        // Check if the user has the 'admin' role
        if ($user->hasRole('admin')) {
            return true; // Admin can update any marina
        }
        
        // Check if the user has the 'marina_manager' role and if they can manage this specific marina
        if ($user->hasRole('marina_manager') && $user->canManageMarinas->contains('marina_id', $marina->id)) {
            return true; // Marina manager can update this marina
        }
        
        return false; // User does not have permission to update this marina
    }
    public function update(User $user, Marina $marina): bool
    {
        // Check if the user has the 'admin' role
        if ($user->hasRole('admin')) {
            return true; // Admin can update any marina
        }
        
        // Check if the user has the 'marina_manager' role and if they can manage this specific marina
        if ($user->hasRole('marina_manager') && $user->canManageMarinas->contains('marina_id', $marina->id)) {
            return true; // Marina manager can update this marina
        }
        
        return false; // User does not have permission to update this marina
    }
No description
2 Replies
John
John7mo ago
->contains('marina_id', $marina->id) looks suspicious
egmose5492dk
egmose5492dkOP7mo ago
@John Your´e absolutely right. Right after i made this post, i rewrote it a bit, to get the marinas accesible from the model, and now it seems to be working as expected. 
    public function update(User $user, Marina $marina): bool
    {
        // Check if the user has the 'admin' role
        if ($user->hasRole('admin')) {
            return true; // Admin can update any marina
        }
        
        // Use the same logic as the 'editable' scope in the Marina model
       ** if ($user->hasRole('marina_master')) {
            return $marina->canManageMarinas()->where('user_id', $user->id)->exists();
        }**
        
        return false; // User does not have permission to update this marina
    }
    
    public function update(User $user, Marina $marina): bool
    {
        // Check if the user has the 'admin' role
        if ($user->hasRole('admin')) {
            return true; // Admin can update any marina
        }
        
        // Use the same logic as the 'editable' scope in the Marina model
       ** if ($user->hasRole('marina_master')) {
            return $marina->canManageMarinas()->where('user_id', $user->id)->exists();
        }**
        
        return false; // User does not have permission to update this marina
    }
Thanks 🙂
Want results from more Discord servers?
Add your server