Authorization Policies

[lonnieezell]

Just a heads up: I'm implementing a Policies feature for authorization. I think this will help us handle the general errors and authorization checking within our controllers. Here's a basic run-down of what I'm working on:

• Assuming we have a permission threads.create
• Within the controller we can use:

if (! $this->policy->can('threads.create')) {
    return $this->policy->deny('You do not have permissions to start a new thread.');
}

• When no policy class has been defined, this works just like checking $user->can('threads.create'). If it fails, it will return redirect through HTMX to display a pre-defined error page that the status and error message is passed along to. I think that's the simplest way to get the errors working both within and outside of an HTMX call.

This also allows defining new classes to handle additional logic for the permissions check. Assuming we have a permissions threads.edit you could check the policy similar to above, but passing the thread instance along with it.

if (! $this->policy->can('threads.edit', $thread)) {
    return $this->policy->deny('You do not have permissions to edit this thread.');
}

Then in the policy class, which is based on the permission name for class name/method:

namespace App\Policies;

use App\Entities\User;
use App\Entities\Thread;
use App\Libraries\Policies\PolicyInterface;

class ThreadPolicy extends PolicyInterface
{
    public function edit(User $user, Thread $thread): bool
    {
        return $user->can('threads.create') || $user->id === $thread->author_id;
    }
}

You can also do more broad-based checks with a before method in the policy, like granting superadmins and admins permission to all the things:

namespace App\Policies;

use App\Entities\User;
use App\Libraries\Policies\PolicyInterface;

class ThreadPolicy extends PolicyInterface
{
    public function before(User $user, string $permission): bool|null
    {
        if ($user->inGroup('superadmin', 'admin')) {
            return true;
        }

        return null;
    }
}

Any concerns with this?

[michalsn]

I think it sounds very good. We will just need easy access to the policy instance in the view.

[lonnieezell]

Ah, good point. Hadn't considered that. Thanks!