Only access to certain resulsts in resource - How do i limit that?

Hi, I´m working on a project, and really cant get my head around this issue. In my model, i have made a check, to see which entries the user can edit - That works like a charm, and the user is only able to see ones they can edit in the list. ´´´->query(static::getAuthorizedModelQuery())´´´´ But in the edit view, the user can basicly just change the ID in the URL and chenge everything. I have mad a policy, and thought i should look in the update function - But that removes the edit availablity completely. How do i achieve so the user only can edit the ones they have access to?
public function update(User $user, Marina $marina): bool
{
// Check if the user has the 'admin' role
if ($user->hasRole('admin')) {
return true; // Admin can update any marina
}

// Check if the user has the 'marina_manager' role and if they can manage this specific marina
if ($user->hasRole('marina_manager') && $user->canManageMarinas->contains('marina_id', $marina->id)) {
return true; // Marina manager can update this marina
}

return false; // User does not have permission to update this marina
}
public function update(User $user, Marina $marina): bool
{
// Check if the user has the 'admin' role
if ($user->hasRole('admin')) {
return true; // Admin can update any marina
}

// Check if the user has the 'marina_manager' role and if they can manage this specific marina
if ($user->hasRole('marina_manager') && $user->canManageMarinas->contains('marina_id', $marina->id)) {
return true; // Marina manager can update this marina
}

return false; // User does not have permission to update this marina
}
No description
2 Replies
John
John7mo ago
->contains('marina_id', $marina->id) looks suspicious
egmose5492dk
egmose5492dkOP7mo ago
@John Your´e absolutely right. Right after i made this post, i rewrote it a bit, to get the marinas accesible from the model, and now it seems to be working as expected.
public function update(User $user, Marina $marina): bool
{
// Check if the user has the 'admin' role
if ($user->hasRole('admin')) {
return true; // Admin can update any marina
}

// Use the same logic as the 'editable' scope in the Marina model
** if ($user->hasRole('marina_master')) {
return $marina->canManageMarinas()->where('user_id', $user->id)->exists();
}**

return false; // User does not have permission to update this marina
}

public function update(User $user, Marina $marina): bool
{
// Check if the user has the 'admin' role
if ($user->hasRole('admin')) {
return true; // Admin can update any marina
}

// Use the same logic as the 'editable' scope in the Marina model
** if ($user->hasRole('marina_master')) {
return $marina->canManageMarinas()->where('user_id', $user->id)->exists();
}**

return false; // User does not have permission to update this marina
}

Thanks 🙂
Want results from more Discord servers?
Add your server