Authorization issue – inability to override policies in favor of can* methods in the resource
In Filament v3, I could control permissions in the panel using methods such as canView, canEdit, canDelete, etc. in the resource, regardless of whether a Laravel policy was registered for the model. This allowed me to have policies only for the purposes of, for example, GraphQL, and use my own permission logic in the Filament panel.
In Filament v4, if a policy is registered for a model, Filament always uses that policy for authorization (via the get_authorization_response function), ignoring the logic contained in the canView, canEdit, etc. methods in the resource. This means that I can no longer independently control permissions in the Filament panel if a policy exists (e.g., for API/GraphQL purposes).
Expected behavior
I would like Filament to ignore Laravel policies for a given resource/model and use only the canView, canEdit, canDelete, etc. methods in the resource – even if the policy is registered (e.g., for other parts of the application).
4 Replies
Proposal
Add an option (e.g., a flag in the resource) that will force the use of only can* methods in the resource, ignoring Laravel policies – even if they are registered.
You can skip the authorization to ignore the registered policies
https://filamentphp.com/docs/4.x/resources/overview#skipping-authorization
But I think this will disable authorization completely (policies and *can methods). I don't want to use policies, only *can methods, which I will override in the resource.
find methods inside HasAuthorization trait
that use can* and then copy/paste those methods to your resource to override it
GitHub
panels/src/Resources/Resource/Concerns/HasAuthorization.php at 4.x ...
[READ ONLY] Subtree split of the Filament Panel Builder (see filamentphp/filament) - filamentphp/panels