Add policy for managing comment authorization (#23)

* Move existing logic to policy

* Remove allow edits and deletes config options

* Handle guest users in canEdit and canDelete

* Clean up README

* Fix styles after merge

* Remove canEdit and canDelete in favor of policy check

* Hide save form when create comment permission is not granted

* Throw authorization exception when attempting to create comment without permission

* Use resolveAuthenticatedUser

* Check any permissions before rendering comment actions area

* Use comment model in relationships

* Added default value

---------

Co-authored-by: Luís Dalmolin <luis.nh@gmail.com>

Author: nathanheffley

README.md

@@ -49,16 +49,14 @@ class Project extends Model implements Commentable
 
 ### Usage with Filament
 
-You can register the plugin in your Panel(s) and configure editing and deleting permissions:
+You can register the plugin in your Panel(s) like so:
 
 ```php
 use Kirschbaum\Commentions\CommentionsPlugin;
 
 return $panel
     ->plugins([
-        CommentionsPlugin::make()
-            ->disallowEdits()    // Prevent users from editing their comments
-            ->disallowDeletes()  // Prevent users from deleting their comments
+        CommentionsPlugin::make(),
     ])
 ```
 
@@ -110,36 +108,63 @@ If your `User` model lives in a different namespace than `App\Models\User`, you
     ],
 ```
 
-### Disabling comment editing and deletion
+### Configuring the Comment model
 
-By default, users can edit and delete their own comments. You can disable this functionality in two ways:
+If you need to customize the Comment model, you can extend the `\Kirschbaum\Commentions\Comment` class and then update the `comment.model` option in your `config/commentions.php` file:
 
-#### 1. Using the plugin configuration
+```php
+    'comment' => [
+        'model' => \App\Models\Comment::class,
+        // ...
+    ],
+```
+
+### Configuring Comment permissions
+
+By default, users can create comments, as well as edit and delete their own comments. You can adjust these permissions by implementing your own policy:
+
+#### 1) Create a custom policy
 
 ```php
-use Kirschbaum\Commentions\CommentionsPlugin;
+<?php
 
-return $panel
-    ->plugins([
-        CommentionsPlugin::make()
-            ->disallowEdits()    // Prevent users from editing their comments
-            ->disallowDeletes()  // Prevent users from deleting their comments
-    ])
+namespace App\Policies;
+
+use Kirschbaum\Commentions\Comment;
+use Kirschbaum\Commentions\Contracts\Commenter;
+use Kirschbaum\Commentions\Policies\CommentPolicy;
+
+class CommentPolicy extends CommentPolicy
+{
+    public function create(Commenter $user): bool
+    {
+        // TODO: Implement custom permission logic.
+    }
+
+    public function update($user, Comment $comment): bool
+    {
+        // TODO: Implement custom permission logic.
+    }
+
+    public function delete($user, Comment $comment): bool
+    {
+        // TODO: Implement custom permission logic.
+    }
+}
 ```
 
-#### 2. Using the configuration file
+#### 2) Register your policy in the configuration file
 
-Set the `allow_edits` and `allow_deletes` options in your `config/commentions.php` file:
+Update the `comment.policy` option in your `config/commentions.php` file:
 
 ```php
-    /**
-     * Comment editing/deleting options.
-     */
-    'allow_edits' => false,
-    'allow_deletes' => false,
+    'comment' => [
+        // ...
+        'policy' => \App\Policies\CommentPolicy::class,
+    ],
 ```
 
-> **Note:** The plugin configuration takes precedence over the config file settings.
+### Configuring the Commenter name
 
 By default, the `name` property will be used to render the mention names. You can customize it either by implementing the Filament `HasName` interface OR by implementing the optional `getCommenterName` method.
 

config/commentions.php

@@ -22,11 +22,13 @@
 
     /*
     |--------------------------------------------------------------------------
-    | Comment Moderation
+    | Comment model configuration
     |--------------------------------------------------------------------------
     */
-    'allow_edits' => true,
-    'allow_deletes' => true,
+    'comment' => [
+        'model' => \Kirschbaum\Commentions\Comment::class,
+        'policy' => \Kirschbaum\Commentions\Policies\CommentPolicy::class,
+    ],
 
     /*
     |--------------------------------------------------------------------------

resources/views/comment.blade.php

@@ -1,3 +1,5 @@
+@use('\Kirschbaum\Commentions\Config')
+
 <div class="flex items-start gap-x-4 border p-4 rounded-lg shadow-sm mb-2" id="filament-comment-{{ $comment->getId() }}">
     @if ($avatar = $comment->getAuthorAvatar())
         <img
@@ -32,16 +34,18 @@ class="text-xs text-gray-300 ml-1"
                 @endif
             </div>
 
-            @if ($comment->isComment() && $comment->canEdit())
+            @if ($comment->isComment() && Config::resolveAuthenticatedUser()?->canAny(['update', 'delete'], $comment))
                 <div class="flex gap-x-1">
-                    <x-filament::icon-button
-                        icon="heroicon-s-pencil-square"
-                        wire:click="edit"
-                        size="xs"
-                        color="gray"
-                    />
+                    @if (Config::resolveAuthenticatedUser()?->can('update', $comment))
+                        <x-filament::icon-button
+                            icon="heroicon-s-pencil-square"
+                            wire:click="edit"
+                            size="xs"
+                            color="gray"
+                        />
+                    @endif
 
-                    @if ($comment->canDelete())
+                    @if (Config::resolveAuthenticatedUser()?->can('delete', $comment))
                         <x-filament::icon-button
                             icon="heroicon-s-trash"
                             wire:click="$dispatch('open-modal', { id: 'delete-comment-modal-{{ $comment->getId() }}' })"
@@ -90,7 +94,7 @@ class="text-xs text-gray-300 ml-1"
         @endif
     </div>
 
-    @if ($comment->isComment() && $comment->canDelete())
+    @if ($comment->isComment() && \Kirschbaum\Commentions\Config::resolveAuthenticatedUser()?->can('delete', $comment))
         <x-filament::modal
             id="delete-comment-modal-{{ $comment->getId() }}"
             wire:model="showDeleteModal"

resources/views/comments.blade.php

@@ -1,30 +1,34 @@
+@use('\Kirschbaum\Commentions\Config')
+
 <div class="space-y-2" x-data="{ wasFocused: false }">
-    <form wire:submit.prevent="save" x-cloak>
-        {{-- tiptap editor --}}
-        <div class="relative tip-tap-container mb-2" x-on:click="wasFocused = true" wire:ignore>
-            <div
-                x-data="editor(@js($commentBody), @js($this->mentions), 'comments')"
-            >
-                <div x-ref="element"></div>
+    @if (Config::resolveAuthenticatedUser()?->can('create', Config::getCommentModel()))
+        <form wire:submit.prevent="save" x-cloak>
+            {{-- tiptap editor --}}
+            <div class="relative tip-tap-container mb-2" x-on:click="wasFocused = true" wire:ignore>
+                <div
+                    x-data="editor(@js($commentBody), @js($this->mentions), 'comments')"
+                >
+                    <div x-ref="element"></div>
+                </div>
             </div>
-        </div>
 
-        <template x-if="wasFocused">
-            <div>
-                <x-filament::button
-                    wire:click="save"
-                    size="sm"
-                >Save</x-filament::button>
+            <template x-if="wasFocused">
+                <div>
+                    <x-filament::button
+                        wire:click="save"
+                        size="sm"
+                    >Save</x-filament::button>
 
-                <x-filament::button
-                    x-on:click="wasFocused = false"
-                    wire:click="clear"
-                    size="sm"
-                    color="gray"
-                >Cancel</x-filament::button>
-            </div>
-        </template>
-    </form>
+                    <x-filament::button
+                        x-on:click="wasFocused = false"
+                        wire:click="clear"
+                        size="sm"
+                        color="gray"
+                    >Cancel</x-filament::button>
+                </div>
+            </template>
+        </form>
+    @endif
 
     <livewire:commentions::comment-list
         :record="$record"

src/Actions/SaveComment.php

@@ -2,15 +2,24 @@
 
 namespace Kirschbaum\Commentions\Actions;
 
+use Illuminate\Auth\Access\AuthorizationException;
 use Illuminate\Database\Eloquent\Model;
 use Kirschbaum\Commentions\Comment;
+use Kirschbaum\Commentions\Config;
 use Kirschbaum\Commentions\Contracts\Commenter;
 use Kirschbaum\Commentions\Events\UserWasMentionedEvent;
 
 class SaveComment
 {
+    /**
+     * @throws AuthorizationException
+     */
     public function __invoke(Model $commentable, Commenter $author, string $body): Comment
     {
+        if ($author->cannot('create', Config::getCommentModel())) {
+            throw new AuthorizationException('Cannot create comment');
+        }
+
         $comment = $commentable->comments()->create([
             'body' => $body,
             'author_id' => $author->getKey(),

src/Comment.php

@@ -163,16 +163,6 @@ public function reactions(): HasMany
         return $this->hasMany(CommentReaction::class);
     }
 
-    public function canEdit(): bool
-    {
-        return Config::allowEdits() && $this->isAuthor(Config::resolveAuthenticatedUser());
-    }
-
-    public function canDelete(): bool
-    {
-        return Config::allowDeletes() && $this->isAuthor(Config::resolveAuthenticatedUser());
-    }
-
     public function toggleReaction(string $reaction): void
     {
         ToggleCommentReaction::run($this, $reaction, Config::resolveAuthenticatedUser());

src/CommentReaction.php

@@ -23,7 +23,7 @@ class CommentReaction extends Model
     /** @return BelongsTo<Comment> */
     public function comment(): BelongsTo
     {
-        return $this->belongsTo(Comment::class);
+        return $this->belongsTo(Config::getCommentModel());
     }
 
     /** @return MorphTo<Commenter> */

src/CommentionsPlugin.php

@@ -16,20 +16,6 @@ public function register(Panel $panel): void {}
 
     public function boot(Panel $panel): void {}
 
-    public function disallowEdits(): static
-    {
-        Config::allowEdits(false);
-
-        return $this;
-    }
-
-    public function disallowDeletes(): static
-    {
-        Config::allowDeletes(false);
-
-        return $this;
-    }
-
     public static function make(): static
     {
         return app(static::class);

src/CommentionsServiceProvider.php

@@ -5,6 +5,8 @@
 use Filament\Support\Assets\Css;
 use Filament\Support\Assets\Js;
 use Filament\Support\Facades\FilamentAsset;
+use Illuminate\Support\Facades\Gate;
+use Kirschbaum\Commentions\Comment as CommentModel;
 use Kirschbaum\Commentions\Livewire\Comment;
 use Kirschbaum\Commentions\Livewire\CommentList;
 use Kirschbaum\Commentions\Livewire\Comments;
@@ -54,5 +56,7 @@ public function packageBooted(): void
             ],
             'kirschbaum-development/' . static::$name
         );
+
+        Gate::policy(CommentModel::class, config('commentions.comment.policy'));
     }
 }

src/Config.php

@@ -12,10 +12,6 @@ class Config
 
     protected static ?Closure $resolveAuthenticatedUser = null;
 
-    protected static ?bool $allowEdits = null;
-
-    protected static ?bool $allowDeletes = null;
-
     public static function resolveAuthenticatedUserUsing(Closure $callback): void
     {
         static::$resolveAuthenticatedUser = $callback;
@@ -33,31 +29,14 @@ public static function resolveAuthenticatedUser(): ?Commenter
         return $user;
     }
 
-    public static function getCommenterModel(): string
+    public static function getCommentModel(): string
     {
-        return config('commentions.commenter.model');
+        return config('commentions.comment.model', Comment::class);
     }
 
-    public static function allowEdits(?bool $allow = null): ?bool
-    {
-        if (is_bool($allow)) {
-            static::$allowEdits = $allow;
-
-            return null;
-        }
-
-        return static::$allowEdits ?? config('commentions.allow_edits', true);
-    }
-
-    public static function allowDeletes(?bool $allow = null): ?bool
+    public static function getCommenterModel(): string
     {
-        if (is_bool($allow)) {
-            static::$allowDeletes = $allow;
-
-            return null;
-        }
-
-        return static::$allowDeletes ?? config('commentions.allow_deletes', true);
+        return config('commentions.commenter.model');
     }
 
     public static function getAllowedReactions(): array