Using Laravel authorisation policies

[ale1981]

I have added the following to my UserCrudController and this fails on methods that require route binding to work with the error;

    public function __construct(Request $request)
    {
        $this->authorizeResource(User::class, 'App\Models\User,id');
        parent::__construct();  
    }

App\Policies\UserPolicy::update(): Argument #2 ($model) must be of type App\Models\User, string given

Is this because Backpack isn't doing any route binding, id is basically a string for the resource id?

Am I able to inject the model resource into the id parameter instead of it just being a string?

[pxpm]

Hey @ale1981 indeed we don't do any route model binding and that makes it a little harder to work with policies.

We only have two options here since we don't know beforehand the models that the CrudController will be handling, could be a Post, or could be a Book model.

1 - Create a general "CrudModel" interface and ask developers to implement it on their models, that way we can type-hint the interface instead of the specific model.
It would also require biding in the provider to resolve the proper injected model, so we would need to bind to the controller and then inject the crud model. Another caveat we may face is the fact the the crud panel is initialized in a middleware, so it may not be available at the time of the binding, and would require to orchestrate other solution.

2 - overwrite the update, edit etc (the methods that require route model biding) on your controllers and type-hint the proper models:

-public function update($id)
+public function update(Model $model) { $this->crud->entry = $model; return parent::update($model->id) }

Don't forget that you need to use the default backpack guard middleware https://github.com/Laravel-Backpack/CRUD/blob/main/src/app/Http/Middleware/UseBackpackAuthGuardInsteadOfDefaultAuthGuard.php

Or manually change it yourself before calling before the authorizeResource() the following method app('auth')->setDefaultDriver(config('backpack.base.guard'));

Alternatively set the backpack guard to null in the configuration so it will use the default Laravel one.

Also note that Backpack does not ship with use Illuminate\Foundation\Auth\Access\AuthorizesRequests;, so you need to add it in your controller.

You should then be able to just use the authorizeResource in your controller:

public function __construct()
  {
      parent::__construct();
      $this->authorizeResource(\App\Models\Monster::class, 'id');
  }

Cheers

[ale1981]

Hi @pxpm

Thanks for the detailed response, I will probably end up doing 2. and overwriting the edit and update methods in the controllers.