Laravel-permission: How to check if the user can edit his own posts?

Created on 30 Sep 2017  路  4Comments  路  Source: spatie/laravel-permission

Hi. I'm currently trying to check if the user can edit his own posts but I cannot figure it out. I have a "global" permission to check if the user can edit any post but that is not applicable. Thanks.

picture ionesculiviucristian

Most helpful comment

FWIW I set up a basic example of using a Policy to control authorization actions on a Post model, which leverages both the basic "I own the post so I can edit/update/delete it" and also an Admin role which has permissions to override in cases where the admin isn't also the owner of the post.

Code is here: https://github.com/drbyte/spatie-permissions-demo/pull/2/files

picture drbyte on 19 Dec 2017
👍3

All 4 comments

This package only provides information related to roles and permissions.

If you want to check whether a certain user is the author/owner of a post or other model, you do that with your own code.

For an example using a Content Policy see: https://github.com/spatie/laravel-permission/issues/471

I've also seen it done in the controller, albeit rather verbose:

public function update(Request $request, Post $post) {
    if ($post->author !== auth()->user()->id || auth()->user()->cannot('edit posts'))
        abort(404);// or some other 
    }
}

similarly in blade, also verbose:

@if(auth()->user()->can('edit posts') || $post->author === auth()->user()->id)
  // show Edit button/form
@endif
drbyte picture drbyte on 30 Sep 2017
👍2

Thanks for the reply. It would seem that is the most suitable approach here.

ionesculiviucristian picture ionesculiviucristian on 1 Oct 2017

To be clear:

There are 2 steps involved in the examples provided above:

  1. Check whether the current user has the specified role/permission.
    and
  2. Check any other model-specific permissions ... such as "they are the author of the post" (user id matches author id, for example).

Wrapping those into bespoke if statements in various places may be sufficient, but as your application grows, or to control things with broader granularity, using model-specific policies will encapsulate things better. Particularly if you're using RESTful controller methods.

Similarly, for controlling permissions around "editing users", you'd want to both a) check whether they "are" the current user ($user->id == auth()->user()->id) (to let them edit their own profile), and probably also an "or" test of b) whether they have an "edit users" permission (such as admins/managers).
Doing this with a Policy will allow simpler Blade directives:
@can('update', $user)

More info about policies in the Laravel docs.

drbyte picture drbyte on 1 Oct 2017

FWIW I set up a basic example of using a Policy to control authorization actions on a Post model, which leverages both the basic "I own the post so I can edit/update/delete it" and also an Admin role which has permissions to override in cases where the admin isn't also the owner of the post.

Code is here: https://github.com/drbyte/spatie-permissions-demo/pull/2/files

drbyte picture drbyte on 19 Dec 2017
👍3
Was this page helpful?
0 / 5 - 0 ratings

Related issues

devingray picture devingray  路  3Comments
bbdangar picture bbdangar  路  4Comments
notflip picture notflip  路  3Comments
ghost picture ghost  路  3Comments
enghelewa picture enghelewa  路  4Comments