Global authorization on Laravel model level

I have two Laravel models: Web and WebOffer. For WebOffer i have Filament WebOfferResource. For WebOfferResource, there is great way to using authorization via Policy as described at https://filamentphp.com/docs/3.x/panels/resources/getting-started#authorization and basically i can easily define who can create WebOffer via implementing WebOfferPolicy#create() and that is all (Filament will do the rest). What if i would like to protect creating Web model which doesn't have any Filament Resource counterpart and which is created in WebOfferResource's "create" form ? Would it be good idea to create Laravel model Policy WebPolicy and Laravel's Observer like following:
class WebObserver
{
public function creating(We $web)
{
$user = auth()->user();

if (!$user->can('create', Web::class)) {
abort(403, 'Error');
}
}
}
class WebObserver
{
public function creating(We $web)
{
$user = auth()->user();

if (!$user->can('create', Web::class)) {
abort(403, 'Error');
}
}
}
? I'm somehow missing how to automatically protect Laravel models (which are only connected to Filament Resources, but are not Resources from Filament POV) with permissions on one place (eg. via policy) instead of checking (eg. hiding with ->visible(auth()->user()->can('create_web'))) each invocation in the code which could possibly trigger web creation.
3 Replies
lukasinko
lukasinkoOP3mo ago
What motivated me to this question, is related issue https://github.com/filamentphp/filament/discussions/13845. Thanks for any input on this topic
lukasinko
lukasinkoOP3mo ago
Based on https://laraveldaily.com/post/filament-show-hide-visible-fields-roles-permissions, i've noticed that this documentation https://filamentphp.com/docs/3.x/actions/trigger-button#authorization shoud be probably rewritten to somehow show, that this is a potential security risk. That hiding isn't secure way. That it needs some complementatory auth check.
lukasinko
lukasinkoOP3mo ago
I was probably wrong about this one. The posts are FilamentResources, so posts.edit livewire component is secured via the filament policy by default. So it was more about hiding button, which would lead to 403 anyway.
Want results from more Discord servers?
Add your server