Authorization
Introduction
Qore.works Business comes default with roles (Admin and Super Admin) and permissions. The default roles and permissions are build on top of the Spatie package.
The admin users that have access to the backoffice are separated into the qore_users table. Also those are separated with a different Guard with value qore. The platform users kept to default, table users and Guard with value web.
Usage for backoffice users
For authorization, Filament will observe any model policies that are registered in your app. For more information you can visit the Filament authorization page.
Policies auto resolve
The policy for the specific model you need to place inside the Admin folder. For example:
- app
- Application
- Admin
- Policies
- FaqPolicy.php
- Models
- Faq
- Faq.phpWhen extending models, for example the Local company inside the Development application. You should add the existing policy to your application but you can extend from the origin:
namespace App\Application\Admin\Policies;
use QoreWorksBusiness\QoreRelation\Policies\CompanyPolicy as QoreCompanyPolicy;
class CompanyPolicy extends QoreCompanyPolicy
{
}Protecting widgets
To protect the widgets you can implement a trait from the base. This will protect the widget with the canView method.
use QoreWorksBusiness\QoreAdminBase\Concerns\AuthorizesWidgetAccess;
class WidgetName extends BaseWidget
{
use AuthorizesWidgetAccess;
}You can either define the permission to check with $permission.
protected static UnitEnum $permission = CompanyPermission::VIEW;Or you can define the model what is checking the policy on the view ability.
protected static ?string $model = Company::class;Super admin
In the QoreAdminBaseServiceProvider the policies check are skipped for this role. Therefore, the super-admin role doesn't have any permissions attached.
Usage for platform users
Every model can be attached to the user model. For example; a relation can have a user for authentication. On your relation model you can include the HasUser trait.
Model has one user
- Add the trait on model
use QoreWorksBusiness\QoreAdminBase\Concerns\HasUsers;
class Relation extends Model
{
use HasUser;
}- Add the reverse relation on the User model
use Illuminate\Database\Eloquent\Relations\HasOneThrough;
use QoreWorksBusiness\QoreAdminBase\Models\ModelHasUsers;
class User extends Authenticatable
{
public function relation(): HasOneThrough
{
return $this->hasOneThrough(
Relation::class,
ModelHasUsers::class,
'user_id',
'id',
'id',
'model_id',
)->where('model_type', '=', (new Relation())->getMorphClass());
}
}- Add 'make platform user' button to your edit page for example. Button is only visible when no user is attached.
use QoreWorksBusiness\QoreAdminBase\Resources\UserResource\Actions\CreateUserAction;
class EditRelation extends EditRecord
{
protected static string $resource = RelationResource::class;
protected function getHeaderActions(): array
{
return [
CreateUserAction::make(),
];
}
}- Listening to the event
After creating a user, an event UserCreated is dispatched. You can listen to this event to perform some additional actions. For example; send a verification mail or adding some roles.
Middlewares
To make use of the Spatie Laravel permissions middlewares, please modify the kernel file:
app/Http/Kernel.php
And add the following middleware aliases:
protected $middlewareAliases = [
// ...
'permission' => \Spatie\Permission\Middlewares\PermissionMiddleware::class,
'role' => \Spatie\Permission\Middlewares\RoleMiddleware::class,
'role_or_permission' => \Spatie\Permission\Middlewares\RoleOrPermissionMiddleware::class,
];After that you can can make use of the middleware:
Route::group(['middleware' => ['role:relation']], function () {
//
});For more information see the documentation of Spatie Laravel permissions.
Permissions
Make sure you also create a default set of permissions for you package if it's needed to be controlled in the backoffice. You can easily create the permissions with actions on your migration. For example:
use QoreWorksBusiness\QoreAdminBase\Actions\CreatePermissionsAction;
use QoreWorksBusiness\QoreAdminBase\Actions\RevokePermissionsAction;
use QoreWorksBusiness\QoreAdminBase\Enums\AssetPermission;
return new class() extends Migration
{
protected static array $permissions = [
AssetPermission::VIEW,
AssetPermission::EDIT,
AssetPermission::DELETE,
];
public function up(): void
{
...
CreatePermissionsAction::run(self::$permissions);
}
public function down(): void
{
...
RevokePermissionsAction::run(self::$permissions);
}
};