Support model policies

[susanu]

Hi guys,

I've been using model policies to grant or deny access the user parts of the crud.
I've done that by creating a trait that checks what operations the user has access to.
Attach the trait below to a CRUD and call validatePermissions inside setup function after CRUD::setModel().
Let me know if this would be a good addition to backpack.
Example of permissions for product crud:

• products.* -> access to all operations inside crud
• products.{id}.* -> access to all operations inside crud ONLY for the specified id
• products.viewAny -> access to list and fetch operations
• products.view -> access to show operation
• products.{id}.view -> access to show operation ONLY for the specified id
• the same pattern goes for the rest of the abilities

<?php

use Illuminate\Contracts\Auth\Access\Gate;

trait AuthorizesCruds
{
    public bool $shouldValidate = true;

    public function validatePermissions(): void
    {
        if(!$this->shouldValidate) {
            return;
        }

        $policy = $this->customPolicy();

        $model = $this->crud->getModel();
        if(!$policy && ($modelId = request()->route('id'))) {
            $model = $model->findOrNew($modelId);
        }

        foreach($this->abilityCrudMap() as $ability => $operations) {
            if($policy) {
                $response = app(Gate::class)
                    ->define($ability, "{$policy}@{$ability}")
                    ->inspect($ability);
            } else {
                $response = app(Gate::class)->inspect($ability, $model);
            }

            if($response->denied()) {
                $this->crud->denyAccess($operations);
            }
        }

        if(!$this->crud->hasAccess('trash')) {
            $this->crud->setOperationSetting('withTrashFilter', false, 'list');
            $this->crud->setOperationSetting('withTrashFilter', false, 'show');
        }
    }

    /**
     * Get the map of abilities to crud operations.
     * ['ability' => ['operation', 'operation']]
     * @return array
     */
    protected function abilityCrudMap(): array
    {
        return [
            'viewAny' => ['list', 'FetchOperation'],
            'view' => ['show', 'revise'],
            'create' => ['create', 'clone', 'bulkClone', 'InlineCreate'],
            'update' => ['update', 'reorder', 'InlineUpdate'],
            'delete' => ['trash', 'restore', 'bulkTrash', 'bulkRestore'],
            'forceDelete' => ['destroy', 'bulkDestroy', 'delete', 'bulkDelete'],
        ];
    }

    public function customPolicy(): ?string
    {
        return null;
    }
}

Policy interface

<?php

use Illuminate\Foundation\Auth\User;
use Illuminate\Database\Eloquent\Model;

interface Policy
{
    /**
     * Determine the user column in model
     */
    public function userColumn(): ?string;

    /**
     * Determine model key column
     */
    public function getModelKey(Model $model): mixed;

    /**
     * Determine the policy prefix for permissions
     */
    public function prefix(): string;

    /**
     * Determine whether the user can view any models.
     */
    public function viewAny(User $user): bool;

    /**
     * Determine whether the user can view the model.
     */
    public function view(User $user, ?Model $model = null): bool;

    /**
     * Determine whether the user can create models.
     */
    public function create(User $user): bool;

    /**
     * Determine whether the user can update the model.
     */
    public function update(User $user, ?Model $model = null): bool;

    /**
     * Determine whether the user can delete the model.
     */
    public function delete(User $user, ?Model $model = null): bool;

    /**
     * Determine whether the user can restore the model.
     */
    public function restore(User $user, ?Model $model = null): bool;

    /**
     * Determine whether the user can permanently delete the model.
     */
    public function forceDelete(User $user, ?Model $model = null): bool;
}

Trait to attach to a model policy that uses spatie/permission to check user abilities.

<?php

use Illuminate\Foundation\Auth\User;
use Illuminate\Auth\Access\HandlesAuthorization;
use Illuminate\Database\Eloquent\Model;
use Illuminate\Support\Str;

trait DefaultPolicies
{
    use HandlesAuthorization;

    public function userColumn(): ?string
    {
        return null;
    }

    public function getModelKey(Model $model): mixed
    {
        return $model->getKey();
    }

    public function prefix(): string
    {
        return Str::snake(Str::pluralStudly(substr(class_basename($this), 0, -6)));
    }

    /**
     * Determine whether the user can view any models.
     */
    public function viewAny(User $user): bool
    {
        return $user->canAny([
            "{$this->prefix()}.*",
            "{$this->prefix()}.viewAny",
        ]);
    }

    /**
     * Determine whether the user can view the model.
     */
    public function view(User $user, ?Model $model = null): bool
    {
        $isModel = $model && $this->getModelKey($model);

        return $user->canAny(array_filter([
            "{$this->prefix()}.*",
            "{$this->prefix()}.view",
            $isModel ? "{$this->prefix()}.{$this->getModelKey($model)}.*" : null,
            $isModel ? "{$this->prefix()}.{$this->getModelKey($model)}.view" : null,
        ]));
    }

    /**
     * Determine whether the user can create models.
     */
    public function create(User $user): bool
    {
        return $user->canAny([
            "{$this->prefix()}.*",
            "{$this->prefix()}.create",
        ]);
    }

    /**
     * Determine whether the user can update the model.
     */
    public function update(User $user, ?Model $model = null): bool
    {
        $isModel = $model && $this->getModelKey($model);

        return $user->canAny(array_filter([
            "{$this->prefix()}.*",
            "{$this->prefix()}.update",
            $isModel ? "{$this->prefix()}.{$this->getModelKey($model)}.*" : null,
            $isModel ? "{$this->prefix()}.{$this->getModelKey($model)}.update" : null,
        ]));
    }

    /**
     * Determine whether the user can delete the model.
     */
    public function delete(User $user, ?Model $model = null): bool
    {
        $isModel = $model && $this->getModelKey($model);

        return $user->canAny(array_filter([
            "{$this->prefix()}.*",
            "{$this->prefix()}.delete",
            $isModel ? "{$this->prefix()}.{$this->getModelKey($model)}.*" : null,
            $isModel ? "{$this->prefix()}.{$this->getModelKey($model)}.delete" : null,
        ]));
    }

    /**
     * Determine whether the user can restore the model.
     */
    public function restore(User $user, ?Model $model = null): bool
    {
        $isModel = $model && $this->getModelKey($model);

        return $user->canAny(array_filter([
            "{$this->prefix()}.*",
            "{$this->prefix()}.restore",
            $isModel ? "{$this->prefix()}.{$this->getModelKey($model)}.*" : null,
            $isModel ? "{$this->prefix()}.{$this->getModelKey($model)}.restore" : null,
        ]));
    }

    /**
     * Determine whether the user can permanently delete the model.
     */
    public function forceDelete(User $user, ?Model $model = null): bool
    {
        $isModel = $model && $this->getModelKey($model);

        return $user->canAny(array_filter([
            "{$this->prefix()}.*",
            "{$this->prefix()}.forceDelete",
            $isModel ? "{$this->prefix()}.{$this->getModelKey($model)}.*" : null,
            $isModel ? "{$this->prefix()}.{$this->getModelKey($model)}.forceDelete" : null,
        ]));
    }
}