craftcms
diff --git a/‎src/Field/Assets.php‎
Lines changed: 5 additions & 5 deletions b/‎src/Field/Assets.php‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎src/Field/LinkTypes/Asset.php‎
Lines changed: 4 additions & 5 deletions b/‎src/Field/LinkTypes/Asset.php‎
Lines changed: 4 additions & 5 deletions
diff --git a/‎src/Translation/I18N.php‎
Lines changed: 2 additions & 1 deletion b/‎src/Translation/I18N.php‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎src/User/Models/User.php‎
Lines changed: 0 additions & 25 deletions b/‎src/User/Models/User.php‎
Lines changed: 0 additions & 25 deletions
diff --git a/‎src/User/UserServiceProvider.php‎
Lines changed: 36 additions & 0 deletions b/‎src/User/UserServiceProvider.php‎
Lines changed: 36 additions & 0 deletions
diff --git a/‎yii2-adapter/legacy/controllers/AppController.php‎
Lines changed: 2 additions & 1 deletion b/‎yii2-adapter/legacy/controllers/AppController.php‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎yii2-adapter/legacy/controllers/GlobalsController.php‎
Lines changed: 2 additions & 1 deletion b/‎yii2-adapter/legacy/controllers/GlobalsController.php‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎yii2-adapter/legacy/controllers/UsersController.php‎
Lines changed: 3 additions & 3 deletions b/‎yii2-adapter/legacy/controllers/UsersController.php‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎yii2-adapter/legacy/elements/Asset.php‎
Lines changed: 18 additions & 17 deletions b/‎yii2-adapter/legacy/elements/Asset.php‎
Lines changed: 18 additions & 17 deletions
diff --git a/‎yii2-adapter/legacy/elements/Category.php‎
Lines changed: 2 additions & 1 deletion b/‎yii2-adapter/legacy/elements/Category.php‎
Lines changed: 2 additions & 1 deletion
@@ -36,6 +36,7 @@
 use CraftCms\Cms\Support\Html;
 use GraphQL\Type\Definition\Type;
 use Illuminate\Support\Collection;
+use Illuminate\Support\Facades\Gate;
 use Illuminate\Validation\Rule;
 use Override;
 
@@ -694,7 +695,7 @@ public function getInputSources(?ElementInterface $element = null): array
                 // (Use restrictedLocationSource here because the actual folder could belong to a temp volume)
                 $volume = $this->_volumeBySourceKey($this->restrictedLocationSource);
 
-                if (! $volume || ! Craft::$app->getUser()->checkPermission("viewAssets:$volume->uid")) {
+                if (! $volume || ! Gate::check("viewAssets:$volume->uid")) {
                     return [];
                 }
             }
@@ -724,19 +725,18 @@ public function getInputSources(?ElementInterface $element = null): array
 
         // Now enforce the showUnpermittedVolumes setting
         if (! $this->showUnpermittedVolumes && ! empty($sources)) {
-            $userService = Craft::$app->getUser();
             $volumesService = Craft::$app->getVolumes();
 
             return Collection::make($sources)
-                ->filter(function (string $source) use ($volumesService, $userService) {
+                ->filter(function (string $source) use ($volumesService) {
                     // If it’s not a volume folder, let it through
                     if (! str_starts_with($source, 'volume:')) {
                         return true;
                     }
 
                     // Only show it if they have permission to view it, or if it's the temp volume
                     $volumeUid = explode(':', $source)[1];
-                    if ($userService->checkPermission("viewAssets:$volumeUid")) {
+                    if (Gate::check("viewAssets:$volumeUid")) {
                         return true;
                     }
 
@@ -767,7 +767,7 @@ protected function inputTemplateVariables(array|ElementQueryInterface|null $valu
             $this->allowUploads &&
             $uploadVolume &&
             $uploadFs &&
-            Craft::$app->getUser()->checkPermission("saveAssets:$uploadVolume->uid")
+            Gate::check("saveAssets:$uploadVolume->uid")
         );
         $variables['defaultFieldLayoutId'] = $uploadVolume->fieldLayoutId ?? null;
 
 
@@ -12,6 +12,7 @@
 use craft\models\Volume;
 use CraftCms\Cms\Field\Link;
 use Illuminate\Support\Collection;
+use Illuminate\Support\Facades\Gate;
 
 use function CraftCms\Cms\t;
 
@@ -91,8 +92,7 @@ protected function availableSourceKeys(): array
             ->filter(fn (Volume $volume) => $volume->getFs()->hasUrls);
 
         if (! $this->showUnpermittedVolumes) {
-            $userService = Craft::$app->getUser();
-            $volumes = $volumes->filter(fn (Volume $volume) => $userService->checkPermission("viewAssets:$volume->uid"));
+            $volumes = $volumes->filter(fn (Volume $volume) => Gate::check("viewAssets:$volume->uid"));
         }
 
         return $volumes
@@ -126,17 +126,16 @@ protected function elementSelectConfig(): array
             $sourceKeys = $this->sources ?? Collection::make($this->availableSources())
                 ->map(fn (array $source) => $source['key'])
                 ->all();
-            $userService = Craft::$app->getUser();
             $config['sources'] = Collection::make($sourceKeys)
-                ->filter(function (string $source) use ($userService) {
+                ->filter(function (string $source) {
                     // If it’s not a volume folder, let it through
                     if (! str_starts_with($source, 'volume:')) {
                         return true;
                     }
                     // Only show it if they have permission to view it, or if it's the temp volume
                     $volumeUid = explode(':', $source)[1];
 
-                    return $userService->checkPermission("viewAssets:$volumeUid");
+                    return Gate::check("viewAssets:$volumeUid");
                 })
                 ->all();
         }
 
@@ -13,6 +13,7 @@
 use Illuminate\Container\Attributes\Singleton;
 use Illuminate\Support\Collection;
 use Illuminate\Support\Facades\Auth;
+use Illuminate\Support\Facades\Gate;
 use InvalidArgumentException;
 use ResourceBundle;
 use Stringable;
@@ -254,7 +255,7 @@ public function getEditableLocales(): Collection
             return $this->getSiteLocales();
         }
 
-        return $this->getSiteLocales()->filter(fn (Locale $locale) => Craft::$app->getUser()->checkPermission('editLocale:'.$locale->id));
+        return $this->getSiteLocales()->filter(fn (Locale $locale) => Gate::check('editLocale:'.$locale->id));
     }
 
     /**
 
@@ -12,7 +12,6 @@
 use CraftCms\Cms\Site\Models\Site;
 use CraftCms\Cms\Support\Arr;
 use CraftCms\Cms\Support\Facades\UserGroups;
-use CraftCms\Cms\Support\Facades\UserPermissions;
 use Illuminate\Auth\Authenticatable;
 use Illuminate\Auth\MustVerifyEmail;
 use Illuminate\Auth\Passwords\CanResetPassword;
@@ -84,30 +83,6 @@ protected function newBaseQueryBuilder(): Builder
             );
     }
 
-    /**
-     * Returns whether the user has permission to perform a given action.
-     *
-     * @param  string  $abilities
-     *
-     * @todo Permissions to Laravel Gates
-     */
-    #[Override]
-    public function can($abilities, $arguments = []): bool
-    {
-        if (
-            $this->admin ||
-            Edition::get() === Edition::Solo
-        ) {
-            return true;
-        }
-
-        if (! isset($this->id)) {
-            return false;
-        }
-
-        return UserPermissions::doesUserHavePermission($this->id, $abilities);
-    }
-
     public function asElement(): \CraftCms\Cms\User\Elements\User
     {
         return new \CraftCms\Cms\User\Elements\User(Arr::except($this->toArray(), [
 
@@ -4,6 +4,7 @@
 
 namespace CraftCms\Cms\User;
 
+use CraftCms\Cms\Edition;
 use CraftCms\Cms\User\Commands\ActivationUrlCommand;
 use CraftCms\Cms\User\Commands\CreateCommand;
 use CraftCms\Cms\User\Commands\DeleteCommand;
@@ -14,10 +15,45 @@
 use CraftCms\Cms\User\Commands\Remove2faCommand;
 use CraftCms\Cms\User\Commands\SetPasswordCommand;
 use CraftCms\Cms\User\Commands\UnlockCommand;
+use CraftCms\Cms\User\Models\User;
+use Illuminate\Contracts\Auth\Access\Authorizable;
+use Illuminate\Support\Facades\Gate;
 use Illuminate\Support\ServiceProvider;
+use Override;
 
 final class UserServiceProvider extends ServiceProvider
 {
+    #[Override]
+    public function register(): void
+    {
+        /**
+         * This hooks our permission system into
+         * Laravel's Gate authorization system
+         */
+        Gate::before(function (Authorizable $user, string $ability) {
+            if (! $user instanceof User && ! $user instanceof \craft\elements\User) {
+                return null;
+            }
+
+            if (
+                $user->admin ||
+                Edition::get() === Edition::Solo
+            ) {
+                return true;
+            }
+
+            if (! isset($user->id)) {
+                return null;
+            }
+
+            if (! app(UserPermissions::class)->doesUserHavePermission($user->id, $ability)) {
+                return null;
+            }
+
+            return true;
+        });
+    }
+
     public function boot(): void
     {
         $this->commands([
 
@@ -37,6 +37,7 @@
 use CraftCms\DependencyAwareCache\Facades\DependencyCache;
 use DateInterval;
 use Illuminate\Support\Facades\Cache;
+use Illuminate\Support\Facades\Gate;
 use Illuminate\Support\Facades\Http;
 use InvalidArgumentException;
 use yii\base\InvalidConfigException;
@@ -76,7 +77,7 @@ public function behaviors(): array
                 'class' => UtilityAccess::class,
                 'utility' => UpdatesUtility::class,
                 'only' => ['check-for-updates', 'cache-updates'],
-                'when' => fn() => !Craft::$app->getUser()->checkPermission('performUpdates'),
+                'when' => fn() => !Gate::check('performUpdates'),
             ],
         ]);
     }
 
@@ -15,6 +15,7 @@
 use CraftCms\Cms\Field\Fields;
 use CraftCms\Cms\Support\Facades\Sites;
 use CraftCms\Cms\Support\Json;
+use Illuminate\Support\Facades\Gate;
 use yii\web\BadRequestHttpException;
 use yii\web\ForbiddenHttpException;
 use yii\web\NotFoundHttpException;
@@ -161,7 +162,7 @@ public function actionEditContent(string $globalSetHandle, ?GlobalSet $globalSet
             ->all();
 
         foreach ($globalSets as $thisGlobalSet) {
-            if (Craft::$app->getUser()->checkPermission('editGlobalSet:' . $thisGlobalSet->uid)) {
+            if (Gate::check('editGlobalSet:' . $thisGlobalSet->uid)) {
                 $editableGlobalSets[$thisGlobalSet->handle] = $thisGlobalSet;
             }
         }
 
@@ -61,6 +61,7 @@
 use CraftCms\Cms\User\Events\DefineEditUserScreens;
 use CraftCms\Cms\User\Events\GroupsAndPermissionsAssigned;
 use Illuminate\Support\Facades\Event;
+use Illuminate\Support\Facades\Gate;
 use Throwable;
 use yii\base\Exception;
 use yii\base\InvalidArgumentException;
@@ -522,7 +523,7 @@ public function actionSendPasswordResetEmail(): ?Response
         $loginName = null;
 
         // If someone's logged in and they're allowed to edit other users, then see if a userId was submitted
-        if (Craft::$app->getUser()->checkPermission('editUsers')) {
+        if (Gate::check('editUsers')) {
             $userId = $this->request->getBodyParam('userId');
 
             if ($userId) {
@@ -1053,10 +1054,9 @@ public function actionAddresses(?int $userId = null): Response
         $response = $this->asEditUserScreen($user, self::SCREEN_ADDRESSES);
 
         $response->contentHtml(function() use ($user) {
-            $canEditUsers = Craft::$app->getUser()->checkPermission('editUsers');
             $config = [
                 'showInGrid' => true,
-                'canCreate' => $canEditUsers,
+                'canCreate' => Gate::check('editUsers'),
             ];
 
             // Use an element index view if there's more than 50 addresses
 
@@ -79,6 +79,7 @@
 use GraphQL\Type\Definition\Type;
 use Illuminate\Support\Collection;
 use Illuminate\Support\Facades\DB as DbFacade;
+use Illuminate\Support\Facades\Gate;
 use Throwable;
 use Twig\Markup;
 use yii\base\ErrorHandler;
@@ -503,7 +504,7 @@ protected static function defineActions(string $source): array
             $actions[] = DownloadAssetFile::class;
 
             $userSession = Craft::$app->getUser();
-            if ($isTemp || $userSession->checkPermission("replaceFiles:$volume->uid")) {
+            if ($isTemp || Gate::check("replaceFiles:$volume->uid")) {
                 // Rename/Replace File
                 $actions[] = RenameFile::class;
                 $actions[] = ReplaceFile::class;
@@ -530,7 +531,7 @@ protected static function defineActions(string $source): array
             $actions[] = CopyReferenceTag::class;
 
             // Edit Image
-            if ($isTemp || $userSession->checkPermission("editImages:$volume->uid")) {
+            if ($isTemp || Gate::check("editImages:$volume->uid")) {
                 $actions[] = EditImage::class;
             }
 
@@ -544,7 +545,7 @@ protected static function defineActions(string $source): array
             ];
 
             // Delete
-            if ($userSession->checkPermission("deletePeerAssets:$volume->uid")) {
+            if (Gate::check("deletePeerAssets:$volume->uid")) {
                 $actions[] = DeleteAssets::class;
             }
         }
@@ -998,12 +999,12 @@ private static function _assembleSourceInfoForFolder(VolumeFolder $folder, ?User
         }
 
         $userSession = Craft::$app->getUser();
-        $canUpload = $userSession->checkPermission("saveAssets:$volume->uid");
-        $canMoveTo = $canUpload && $userSession->checkPermission("deleteAssets:$volume->uid");
+        $canUpload = Gate::check("saveAssets:$volume->uid");
+        $canMoveTo = $canUpload && Gate::check("deleteAssets:$volume->uid");
         $canMovePeerFilesTo = (
             $canMoveTo &&
-            $userSession->checkPermission("savePeerAssets:$volume->uid") &&
-            $userSession->checkPermission("deletePeerAssets:$volume->uid")
+            Gate::check("savePeerAssets:$volume->uid") &&
+            Gate::check("deletePeerAssets:$volume->uid")
         );
 
         $sourcePathInfo = $folder->getSourcePathInfo();
@@ -1794,8 +1795,8 @@ protected function safeActionMenuItems(): array
         // Image editor
         if (
             $this->getSupportsImageEditor() &&
-            $userSession->checkPermission("editImages:$volume->uid") &&
-            ($userSession->getId() == $this->uploaderId || $userSession->checkPermission("editPeerImages:$volume->uid"))
+            Gate::check("editImages:$volume->uid") &&
+            ($userSession->getId() == $this->uploaderId || Gate::check("editPeerImages:$volume->uid"))
         ) {
             $editImageId = sprintf('action-image-edit-%s', mt_rand());
             $items[] = [
@@ -2851,8 +2852,8 @@ public function getPreviewHtml(): string
             $previewable = Craft::$app->getAssets()->getAssetPreviewHandler($this) !== null;
             $editable = (
                 $this->getSupportsImageEditor() &&
-                $userSession->checkPermission("editImages:$volume->uid") &&
-                ($userSession->getId() == $this->uploaderId || $userSession->checkPermission("editPeerImages:$volume->uid"))
+                Gate::check("editImages:$volume->uid") &&
+                ($userSession->getId() == $this->uploaderId || Gate::check("editPeerImages:$volume->uid"))
             );
 
             switch ($this->kind) {
@@ -3409,8 +3410,8 @@ public function getHtmlAttributes(string $context): array
             $userSession = Craft::$app->getUser();
 
             if (
-                $userSession->checkPermission("savePeerAssets:$volume->uid") &&
-                $userSession->checkPermission("deletePeerAssets:$volume->uid")
+                Gate::check("savePeerAssets:$volume->uid") &&
+                Gate::check("deletePeerAssets:$volume->uid")
             ) {
                 $attributes['data']['movable'] = true;
             }
@@ -3450,13 +3451,13 @@ protected function htmlAttributes(string $context): array
         } else {
             $attributes['data']['peer-file'] = true;
             $movable = (
-                $userSession->checkPermission("savePeerAssets:$volume->uid") &&
-                $userSession->checkPermission("deletePeerAssets:$volume->uid")
+                Gate::check("savePeerAssets:$volume->uid") &&
+                Gate::check("deletePeerAssets:$volume->uid")
             );
-            $replaceable = $userSession->checkPermission("replacePeerFiles:$volume->uid");
+            $replaceable = Gate::check("replacePeerFiles:$volume->uid");
             $imageEditable = (
                 $imageEditable &&
-                ($userSession->checkPermission("editPeerImages:$volume->uid"))
+                (Gate::check("editPeerImages:$volume->uid"))
             );
         }
 
 
@@ -34,6 +34,7 @@
 use CraftCms\Cms\Support\Str;
 use GraphQL\Type\Definition\Type;
 use Illuminate\Support\Facades\DB;
+use Illuminate\Support\Facades\Gate;
 use yii\base\Exception;
 use yii\base\InvalidConfigException;
 use function CraftCms\Cms\t;
@@ -202,7 +203,7 @@ protected static function defineSources(string $context): array
                 'data' => ['handle' => $group->handle],
                 'criteria' => ['groupId' => $group->id],
                 'structureId' => $group->structureId,
-                'structureEditable' => Craft::$app->getRequest()->getIsConsoleRequest() || Craft::$app->getUser()->checkPermission("viewCategories:$group->uid"),
+                'structureEditable' => app()->runningInConsole() || Gate::check("viewCategories:$group->uid"),
             ];
         }
Original file line number	Diff line number	Diff line change
`@@ -13,6 +13,7 @@`
`13`	`13`	`use Illuminate\Container\Attributes\Singleton;`
`14`	`14`	`use Illuminate\Support\Collection;`
`15`	`15`	`use Illuminate\Support\Facades\Auth;`
	`16`	`+use Illuminate\Support\Facades\Gate;`
`16`	`17`	`use InvalidArgumentException;`
`17`	`18`	`use ResourceBundle;`
`18`	`19`	`use Stringable;`
`@@ -254,7 +255,7 @@ public function getEditableLocales(): Collection`
`254`	`255`	`return $this->getSiteLocales();`
`255`	`256`	`}`
`256`	`257`
`257`		`- return $this->getSiteLocales()->filter(fn (Locale $locale) => Craft::$app->getUser()->checkPermission('editLocale:'.$locale->id));`
	`258`	`+ return $this->getSiteLocales()->filter(fn (Locale $locale) => Gate::check('editLocale:'.$locale->id));`
`258`	`259`	`}`
`259`	`260`
`260`	`261`	`/**`