F
Filament7mo ago
Hass

User being able to see resource in the navigation even without permission

(I'm using bezhansalleh's shield plugin) I'm testing with two users: one (the super_admin one) has every permission, the other just a few of them. The second user does not have the viewAny permission neither the specific permission to see the resource. (If I run Policy->viewAny($second_user) it returns false) Even though the user does not have the permission to see the resource, it shows on the menu. One thing that I noted is that this behavior only happens with resources, individual pages are properly hidden from the user. I tested with two different resources and it happens to both of them. I'm kinda new to filament and laravel in general, so I may be missing something, but I followed the plugin's (shield) instructions and everything else is working fine (afaik) besides this. I'm not sure on what to share to help, but just ask me anything and I'll send asap edit: formating; typo
Solution:
If a model needs authorization its needs a policy.
Jump to solution
9 Replies
Hass
Hass7mo ago
I figured out the problem 😆 tl;dr:
//ExampleResource.php
//...

class ExampleResource extends Resource
{
protected static bool $shouldCheckPolicyExistence = false; // setting this to false solves the problem

//...
}
//ExampleResource.php
//...

class ExampleResource extends Resource
{
protected static bool $shouldCheckPolicyExistence = false; // setting this to false solves the problem

//...
}
awcodes
awcodes7mo ago
You shouldn’t set the policy to false. It sounds like your permissions are off.
Hass
Hass7mo ago
what do you mean by my permissions are off?
awcodes
awcodes7mo ago
A policy will check if the authenticated user can do something on the model level. So an authenticated user has authorization to view any model associated with the resource. It you need to limit the data shown in the table then you also need to apply a scope to the table query.
Hass
Hass7mo ago
I see, it makes sense That's why the policy check for the model of my resource inside the helpers.php was returning null Do I have to generate policies for every resource's model?
awcodes
awcodes7mo ago
Also, understand that roles and permissions are 2 completely separate things. Yes.
Solution
awcodes
awcodes7mo ago
If a model needs authorization its needs a policy.
awcodes
awcodes7mo ago
You can also use gates to bypass policies. Ie a user has a role of super admin.
Hass
Hass7mo ago
Gonna keep that in mind, thank you! Your example of the data shown in the table gave cleared some confusion that I had
Want results from more Discord servers?
Add your server
More Posts