Panel Authorization
Hi! I have a "Orders" resource, and a "My Orders" resource.
How should I define policies? since a user should always viewAny order when enters MyordersResource... and don't have access to viewAny() when entering "Orders" ? Only admins can see all Orders.
Both resources use the same model.
Thanks!
6 Replies
What is different between the resources? I would think it would be one resource with query scopes and policies based on the user’s roles or permissions.
OrderResources shows all records
MyorderResource only mine
both resourses use Order model
class OrderPolicy {
publiv function viewAny( User $user) {
return $user->hasPermissionTo('Order-view');
this allows the user to enter both OrderResource and MyorderResource
I want to let her enter myorders if it's his order... and enter Orders if he is admin
The resource navigation is shown if the user can access the model,... so.. how do I define the policy?
You have 2 different roles. With different sets of permissions for the same resource.
So, both roles can view any allowing the the navigation to show or or not, but on the ListRecord you have a check to either scope the query or not.
Just sounds like, at least too me, and I could be wrong, that you are trying to do too much in one place when it needs to be multiple auth checks.
I found shouldSkipAuthorization . Maybe, I should use this and take the logic outside the policy....
I think the policy is still valid though. You just need to modify the query based on the authorization.
If the role ‘admin’ and ‘editor’ can both view all that’s fine, but if the role of ‘editor’ can only view records created by them then you need to modify the query with a scope, not a policy.
Nice try. I was thinking on building 2 resources... one filtered and the other not...
I'll try one resource, an d filter it or not on user role (Y) Thanks!