F
Filament3w ago
morty

Do I have to authorize manually in the `->action()` method as well?

I have the following code to change the status on a record: 
Tables\Actions\Action::make('changeStatus')
    ->authorize(fn (WorkOrder $record): bool => static::canEdit($record))
    ->form([
        Forms\Components\Select::make('status')
            ->options(fn (string $operation) => WorkOrderStatus::options($operation))
            ->enum(WorkOrderStatus::class)
            ->required(),
    ])
    ->action(function (array $data, WorkOrder $record): void {
        // do I need to authorize here as well?
        
        $record->status = $data['status'];
        $record->save();
    })
    ->after(fn () => Notification::make()->success()->title('Saved')->send())
Tables\Actions\Action::make('changeStatus')
    ->authorize(fn (WorkOrder $record): bool => static::canEdit($record))
    ->form([
        Forms\Components\Select::make('status')
            ->options(fn (string $operation) => WorkOrderStatus::options($operation))
            ->enum(WorkOrderStatus::class)
            ->required(),
    ])
    ->action(function (array $data, WorkOrder $record): void {
        // do I need to authorize here as well?
        
        $record->status = $data['status'];
        $record->save();
    })
    ->after(fn () => Notification::make()->success()->title('Saved')->send())
Do I have to authorize inside the action method on top of the ->authorize() method on the action itself?
Solution:
Authorize is a livewire controller check for permissions. As you are adding an action it's not possible for it to be run unless it's visible.. You can't hit the action serverside without it being visible and mounted on the page. You are thinking more of functions you can action from a url/post request. So as visible is always false, they would have to somehow bypass the visiblity to show it, for livewire to register/mount it....
Jump to solution
4 Replies
toeknee
toeknee3w ago
Where did you get authorize from? That's usually on the mount function, I suspect you want visible: 
    ->visible(fn (WorkOrder $record): bool => static::canEdit($record))
    ->visible(fn (WorkOrder $record): bool => static::canEdit($record))
Which is all you need?
morty
mortyOP3w ago
hmm good question, I swear authorize was documented but now I don't see it. Regardless, visible will only do the client side while I think I'd still need it in the action for server side in case a malicious user hit the API in another way right?
Solution
toeknee
toeknee2w ago
Authorize is a livewire controller check for permissions. As you are adding an action it's not possible for it to be run unless it's visible.. You can't hit the action serverside without it being visible and mounted on the page. You are thinking more of functions you can action from a url/post request. So as visible is always false, they would have to somehow bypass the visiblity to show it, for livewire to register/mount it.
morty
mortyOP2w ago
Thanks!

Did you find this page helpful?