Applying laravel-permission to a User/Group authorization model (verification of approach)

[msacharewicz]

Our university (and thus, my app) implements a User::belongsToMany(Group) relationship, with Group model representing specific departments. I've read the docs several times and I am still not sure, how to apply this package against our scenario.

In my app, I need to be able to assign specific roles and/or permissions either to a Group or a specific User, and then, when resolving permissions, I need to check if either the User or any Group he belongs to has a specific permission.

At first I thought of using the Teams feature, but no matter how hard I read docs, it seems that Teams are implemented as User::belongsTo(Team).

This seems to leave me with a solution to add HasRoles trait to both User and Group model and perform checks like:
User->hasPermissionTo(x) || User->groups()->hasPermissionTo(x).

Or, a nicer approach, to extend HasRoles and HasPermissions traits like:

    use HasPermissions {
        HasPermissions::hasPermissionTo as parentHasPermissionTo;
    }

    public function hasPermissionTo($permission, $guardName = null): bool
    {
        return self::parentPermissionTo($permission, $guardName) 
            || $this->groups->hasPermissionTo($permission, $guardName);
    }

and

    use HasRole {
        HasRole::hasRole as parentHasRole;
    }

    public function hasRole($roles, string $guard = null): bool
    {
        return self::parentHasRole($roles, $guard) 
            || $this->groups->hasRole($roles, $guard);
    }

Does it even remotely sound like a correct approach, or is there a better one?

[parallels999]

You misunderstood the point of this package,
no, it won't work for you unless you do some extra work for it
make some tests and give us a feedback

[msacharewicz]

Feedback will be given. If all goes well, I may even package it. It would be my first 😅.

But it would really help me to know how exactly did I misunderstood the point of this package.

[parallels999]

guards means login session, group has no login guard

User has roles
User has permissions
Roles have permissions

And on teams
Groups have roles and have global roles
User has roles by group
User has permissions by group
Roles have permissions

But if you want to reinvent the wheel and add more weight to the performance, it's up to you.

[msacharewicz]

To follow the same description, my scenario is:

Roles have Permissions
Groups have Roles
Groups have direct Permissions
User has Roles of many Groups
User has Roles of his own
User has direct Permissions of many Groups
User has direct Permissions of his own

I do believe this would be attainable with Teams taking place of Groups, except that Teams require belongsTo relation from the Users, eg. each User can have only a single group.

[parallels999]

Teams require belongsTo relation from the Users

Not, where did you get that?
that is open for each implementation

[msacharewicz]

I was under such impression upon reading the config file and assuming this defines the foreign key for the team, stored in any authorizable model (ie. Users).

Now, after diving deeper inside the code and schema, I see there's even no model for Teams, and the foreign key is just a hook that I can use to refer to my own Group model.

Yet, I still had doubts about how this code tracks the user-team relationship, and reading again the Working with Teams Permissions and, later, checking the src/PermissionRegistrar.php#setPermissionKey()...

...it still is a belongsTo relationship, inasmuch as only a single team_id can be passed here.