F
Filament5mo ago
King Dice

resource authorization simple question

Hey in my app I have a schools resource, super admins can make,view, edit and delete any school. regular admins can create,view, edit and delete only schools that belong to one of their regions. Initially I was using the following on the schools resource on the regular admin panel: 
            ->modifyQueryUsing(function (Builder $query) {
                return $query->whereHas('admin', function (Builder $filter) {
                    $filter->where('id', auth()->id());
                });
            ->modifyQueryUsing(function (Builder $query) {
                return $query->whereHas('admin', function (Builder $filter) {
                    $filter->where('id', auth()->id());
                });
This worked but I incorrectly assumed that this query change would be applied to every query belonging to that resource which means that regular admins would not be able to access schools that don't belong to them. I tried to edit the URL to access one of those records assuming it would return an 403 error but it worked. so modifyQueryUsing only affects the list view now I understand that for this type of authorisation work I need to use model policies but in my case the policy will be practically the same for view, viewAny, update and the rest of the policy methods, so is there a way to define this policy once and for all like I was doing with the modifyQueryUsing, I hope that made sense
1 Reply
Dennis Koch
Dennis Koch5mo ago
No, you only modified the table query. There is getEloquentQuery() on the resource for that though.
Want results from more Discord servers?
Add your server