Panel Authorization

Hi! I have a "Orders" resource, and a "My Orders" resource. How should I define policies? since a user should always viewAny order when enters MyordersResource... and don't have access to viewAny() when entering "Orders" ? Only admins can see all Orders. Both resources use the same model. Thanks!
6 Replies
awcodes
awcodes3mo ago
What is different between the resources? I would think it would be one resource with query scopes and policies based on the user’s roles or permissions.
PabloZagni
PabloZagni3mo ago
OrderResources shows all records MyorderResource only mine both resourses use Order model class OrderPolicy { publiv function viewAny( User $user) { return $user->hasPermissionTo('Order-view'); this allows the user to enter both OrderResource and MyorderResource I want to let her enter myorders if it's his order... and enter Orders if he is admin The resource navigation is shown if the user can access the model,... so.. how do I define the policy?
awcodes
awcodes3mo ago
You have 2 different roles. With different sets of permissions for the same resource. So, both roles can view any allowing the the navigation to show or or not, but on the ListRecord you have a check to either scope the query or not. Just sounds like, at least too me, and I could be wrong, that you are trying to do too much in one place when it needs to be multiple auth checks.
PabloZagni
PabloZagni3mo ago
I found shouldSkipAuthorization . Maybe, I should use this and take the logic outside the policy....
awcodes
awcodes3mo ago
I think the policy is still valid though. You just need to modify the query based on the authorization. If the role ‘admin’ and ‘editor’ can both view all that’s fine, but if the role of ‘editor’ can only view records created by them then you need to modify the query with a scope, not a policy.
PabloZagni
PabloZagni3mo ago
Nice try. I was thinking on building 2 resources... one filtered and the other not... I'll try one resource, an d filter it or not on user role (Y) Thanks!
Want results from more Discord servers?
Add your server