lukasinko
lukasinko
FFilament
Created by lukasinko on 10/18/2024 in #❓┊help
Global authorization on Laravel model level
I have two Laravel models: Web and WebOffer. For WebOffer i have Filament WebOfferResource. For WebOfferResource, there is great way to using authorization via Policy as described at https://filamentphp.com/docs/3.x/panels/resources/getting-started#authorization and basically i can easily define who can create WebOffer via implementing WebOfferPolicy#create() and that is all (Filament will do the rest). What if i would like to protect creating Web model which doesn't have any Filament Resource counterpart and which is created in WebOfferResource's "create" form ? Would it be good idea to create Laravel model Policy WebPolicy and Laravel's Observer like following:
class WebObserver
{
public function creating(We $web)
{
$user = auth()->user();

if (!$user->can('create', Web::class)) {
abort(403, 'Error');
}
}
}
class WebObserver
{
public function creating(We $web)
{
$user = auth()->user();

if (!$user->can('create', Web::class)) {
abort(403, 'Error');
}
}
}
? I'm somehow missing how to automatically protect Laravel models (which are only connected to Filament Resources, but are not Resources from Filament POV) with permissions on one place (eg. via policy) instead of checking (eg. hiding with ->visible(auth()->user()->can('create_web'))) each invocation in the code which could possibly trigger web creation.
4 replies