where to put permission check

[christmex]

Hi guys, I'm having a question about where to put backpack_user()->can() checking, except in our menu_item for showing the menu, so before we show the form to the user it should check the access with backpack_user()->can('some_permission'), if its return true then show the form but if it's not, then redirect to 403 pages.

Thanks.

[tabacitu]

Hi @christmex ,

If what you want is to completely prevent the access of a CRUD page, the best place to put backpack_user()->can() is inside the CrudController. Since each Operation has its own setup method, that's the perfect place to do that:

public function setupCreateOperation() {
    if (!backpack_user()->can('something')) {
        abort(403, 'You are not allowed to do that.');
    }
}

Hope it helps.
Cheers!

[christmex]

Thanks, @tabacitu , another question is, I want to check before it inserts the data into the database to make sure everything is authorized, here's what I did, am I right to do this?

//somewhere in entitiyCrudController
use \Backpack\CRUD\app\Http\Controllers\Operations\CreateOperation { store as traitStore; }


public function store(){
  if (!backpack_user()->can('something')) {
      return redirect('/');
   }
   $response = $this->traitStore();
    // do something after save
    return $response;
}

[tabacitu]

Yup

[christmex]

@tabacitu Thankyou so much🙏

[pxpm]

Hey @christmex alternatively you can define it in a single place:

The setupCreateOperation is called both on form display, and on form submit.

If you have in your controller:

public function setupCreateOperation()
{
if (!backpack_user()->can('something')) {
      CRUD::denyAccess('create');
   }
}

The user wouldn't be able to view the form, or submit the form.

Yours do the same, but you need two overwrites, one for form display, another for form submission.

Cheers

[christmex]

@pxpm Thank you so much for this option, it really helps 🙏