Croco Comments - Answer Overflow

Croco

•Created by Croco on 4/4/2024 in #❓┊help

Model Policy on page not working

Hmm, if i attach it to the button it will secure only that button , what if someone manage to send the delete request to my instance/model.

8 replies

FFilament

•Created by Croco on 4/4/2024 in #❓┊help

Model Policy on page not working

It supposed to be attached to the model because the $policies array contains models. Should I then set authorization on page like?:

use App\Filament\Pages\Billing;
    protected $policies = [
        User::class => UserPolicy::class,
        Order::class => OrderPolicy::class,
        Billing::class => OrderPolicy::class,
    ];

use App\Filament\Pages\Billing;
    protected $policies = [
        User::class => UserPolicy::class,
        Order::class => OrderPolicy::class,
        Billing::class => OrderPolicy::class,
    ];

Because this is not working either. I'm using Order model inside Billing page.

8 replies

FFilament

•Created by Croco on 4/4/2024 in #❓┊help

Model Policy on page not working

Hmm, after several tests, this is indeed the case for resources, but not for pages, so policies are still not called. I've tried several combinations :

    public function deleteAny(User $user): bool
    { logger("DEL 1");
        return $user->can('SuperAdmin');
    }

    public function canDeleteAny(User $user): bool
    { logger("DEL 2");
        return $user->can('SuperAdmin');
    }

    public function canDelete(User $user): bool
    { logger("DEL 3");
        return $user->can('SuperAdmin');
    }

    public function forceDeleteAny(User $user): bool
    { logger("DEL 4");
        return $user->can('SuperAdmin');
    }
    public function canForceDeleteAny(User $user): bool
    { logger("DEL 5");
        return $user->can('SuperAdmin');
    }

    public function deleteAny(User $user): bool
    { logger("DEL 1");
        return $user->can('SuperAdmin');
    }

    public function canDeleteAny(User $user): bool
    { logger("DEL 2");
        return $user->can('SuperAdmin');
    }

    public function canDelete(User $user): bool
    { logger("DEL 3");
        return $user->can('SuperAdmin');
    }

    public function forceDeleteAny(User $user): bool
    { logger("DEL 4");
        return $user->can('SuperAdmin');
    }
    public function canForceDeleteAny(User $user): bool
    { logger("DEL 5");
        return $user->can('SuperAdmin');
    }

😁 I know some does not exist. My page:

class Billing extends Page implements HasForms, HasTable
{

class Billing extends Page implements HasForms, HasTable
{

I even tried to add this:

protected static bool $shouldSkipAuthorization = false;

protected static bool $shouldSkipAuthorization = false;

The only thing working is to overwrite delete Model method:

    // prevent unauthorized delete
    public function delete(){
        if (!auth()->user()->isSuperAdmin()) {
            return false;
        }
        parent::delete();
    }

    // prevent unauthorized delete
    public function delete(){
        if (!auth()->user()->isSuperAdmin()) {
            return false;
        }
        parent::delete();
    }

But this is not policy at all, I would like to make sure policy work at all time.

8 replies

Gaming

Programming