Orchid and Laravel Policies

[maatata]

Hi All

I have recently joined Laravel Orchid and I'm using it for my project. I have a question for you guys which would be great if you could help.

If I understand correctly, I can use initial Laravel policies functionality within Orchid only if I use CRUD and do it through Resources.

What I'm wondering is would it be possible to use Laravel policies with Orchid but without CRUD and set it up for screens which are created with Orchid easily as just adding model related policy and it will process the authorization automatically.

I have been trying to achieve this and looks like it doesn't work that way and I have to use Resources and if I use Screens without Resources and CRUD it won't work.

Currently I have a model called Journal and a policy called JournalPolicy

I tried with adding the followings to AuthServiceProvider and both failed and did not function.

protected $policies = [
        'App\Models\Journal' => 'App\Policies\JournalPolicy',
];

protected $policies = [
       Journal::class => JournalPolicy::class,
];

I have attached the model and policy files for you guys to investigate if I have done anything wrong.

Archive.zip

Also the structure of where the files are located are as follow:

/app/Models/Journal.php
/app/Policies/JournalPolicy.php

Thank you all and I hope this can have a solution which would then make my life much easier and I think this is a question for many of users who are using Orchid as I can see it's not well explained in the doc.

[tabuna]

Hi @maatata. The policies are described in the Laravel documentation

You can use them anywhere as described there. Let's take an example from the usage documentation:

namespace App\Http\Controllers;

use App\Http\Controllers\Controller;
use App\Models\Post;
use Illuminate\Http\Request;

class PostController extends Controller
{
    /**
     * Update the given post.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \App\Models\Post  $post
     * @return \Illuminate\Http\Response
     */
    public function update(Request $request, Post $post)
    {
        if ($request->user()->cannot('update', $post)) {
            abort(403);
        }

        // Update the post...
    }
}

We can do the same on the screen in the data request method or another method.

Suppose you say that it would be automatic. Then this only happens when you write controller resources. This is described here https://laravel.com/docs/8.x/authorization#authorizing-resource-controllers, where controller methods are mapped to policy methods. For the CRUD package, we preliminarily specified them ourselves (as well as resource controllers). But the screen and controller are more extensive and versatile, so you need to specify them yourself, as in the first example.

[maatata]

Hi @tabuna

Thank you very much for your prompt reply and I appreciate your explanation.

I'm still facing some difficulties to get the policies working though.
I tried couple of different solutions but all failed.

I have tried the following ways:

1. I added a method like below on the JournalListScreen.php

public function __construct()
    {
        $this->authorizeResource(Journal::class, 'journal');
    }

I was expecting this to check the policy on every request I make to Jounals list page but it doesn't hit JournalPolicy at all.

2. I added middleware on the route like below:

// Platform > Journals > Edit
Route::screen('journals/{journal}/edit', JournalEditScreen::class)
    ->name('platform.journals.edit')
    ->middleware('can:view,journal');
// Platform > Journals > Create
Route::screen('journals/create', JournalEditScreen::class)
    ->name('platform.journals.create')
    ->middleware('can:create,App\Models\Journal');
// Platform > Journals
Route::screen('journals', JournalListScreen::class)
    ->name('platform.journals.list')
    ->middleware('can:viewAny,App\Models\Journal');

and

// Platform > Journals > Edit
Route::screen('journals/{journal}/edit', JournalEditScreen::class)
    ->name('platform.journals.edit')
    ->middleware('can:update,journal');
// Platform > Journals > Create
Route::screen('journals/create', JournalEditScreen::class)
    ->name('platform.journals.create')
    ->middleware('can:create,App\Models\Journal');
// Platform > Journals
Route::screen('journals', JournalListScreen::class)
    ->name('platform.journals.list')
    ->middleware('can:viewAny,App\Models\Journal');

it works correctly then on create and list but it doesn't work on edit page which is supposed to check update or view policy.
when I do that and go to edit a journal it always fail with 403 | THIS ACTION IS UNAUTHORIZED. message while the JournalPolicy is returning true for both view and update methods.

I'm so lost here as looks like there is something wrong with the view and update methods that I'm having issue with. Could you please explain what's the best way to achieve what I'm trying to achieve based on the files I sent you please?

Cos when I follow the documentation and the examples you mentioned here it doesn't work.

I also attached my JournalListScreen.php and JournalEditScreen.php for you here to take a look.
Archive.zip

Thank you very much in advance.

[maatata]

I managed to solve this issue by adding relevant checks and policies to the related method on the screen for each page. I was wishing it could have been easier than adding it all manually but it's what it is.

Thanks again for your help @tabuna