Relationship model policies and authorisation on Select Form fields
Hello! I'm relatively new to Filament and Livewire in general. I'm trying to set up a secure way to limit the usage of select form fields when the user does not have permissions to access certain actions on the related model. These are controlled by Laravel Policies. I'm wondering about a few things:
- Does the ->hidden() method on form fields just a visual, or does it prevent sending the whole field to the front end? Is it a secure way to prevent access to a certain resource on the form?
- If I decide to use ->disabled() on the select, same question as the above. Is it a secure way to prevent querying the related data, or can the user re-enable the field and it's functionality with some devtools magic?
- Is there a better way to achieve related model authorisation on select fields?
- Does the ->hidden() method on form fields just a visual, or does it prevent sending the whole field to the front end? Is it a secure way to prevent access to a certain resource on the form?
- If I decide to use ->disabled() on the select, same question as the above. Is it a secure way to prevent querying the related data, or can the user re-enable the field and it's functionality with some devtools magic?
- Is there a better way to achieve related model authorisation on select fields?
Solution
Thank you both for the suggestions!
I'm not trying to filter data depending on roles, the user either has access to it, or doesn't have access to it, so I don't have to worry about that.
I took some time and read trough the docs more thoroughly and it seems even there the ->hidden() and ->disabled() options are used for access control in an example. So I will assume that if the policies are set up correctly it will block the user from saving or getting hidden/disabled fields.
If anyone has this questions, there is more information here:
https://filamentphp.com/docs/3.x/forms/fields/getting-started#disabling-a-field
I'm not trying to filter data depending on roles, the user either has access to it, or doesn't have access to it, so I don't have to worry about that.
I took some time and read trough the docs more thoroughly and it seems even there the ->hidden() and ->disabled() options are used for access control in an example. So I will assume that if the policies are set up correctly it will block the user from saving or getting hidden/disabled fields.
If anyone has this questions, there is more information here:
https://filamentphp.com/docs/3.x/forms/fields/getting-started#disabling-a-field
