meigwilym/AbilitySeeder.php

## readme.md

      
    Raw
  

              readme.md
            
          
    Bouncer to Check Abilities

The seeder file is how abilities and permissions are applied to roles.
In the policy file I use $user->can() to check if an user has an ability.
Each policy was loaded in a controller with $this->authorizeResource(ClientPolicy::class) in the constructor.
Using this pattern lead to a Maximum function nesting level of '500' reached, aborting! error.
The Fix

Create a BouncerProvider and move all the Bouncer::ownedVia() calls to it's boot() method.
Forget about the Policy files.
At the top of each controller, add a __constructor() which calls $this->authoriseResource(Client::class).
That's right, pass the Client class and not the ClientPolicy. Why does this work? I don't know yet, but it does.

  
## AbilitySeeder.php
<?php

use App\Client;
use App\User;
use App\Site;
use App\Plot;
use App\SalesStatus;
use Silber\Bouncer\BouncerFacade as Bouncer;
use Illuminate\Database\Seeder;

class AbilitySeeder extends Seeder
{
    /**
     * Run the database seeds.
     *
     * @return void
     */
    public function run()
    {
        Bouncer::allow('superadmin')->everything();

        // futurium admins can do everything APART from create superadmins
        Bouncer::allow('futurium-admin')->everything();
        Bouncer::forbid('futurium-admin')->to('make-superadmin', User::class);

        // Clients
        Bouncer::ownedVia(Client::class, function ($client, $user) {
            return $client->id === $user->client->id;
        });
        Bouncer::allow('client-admin')->toOwn(Client::class)->to(['view', 'update']);
        Bouncer::allow('client-user')->to('view', Client::class);

        // Users
        Bouncer::ownedVia(User::class, function ($user, $model) {
            return $user->client->id === $model->client->id;
        });
        Bouncer::allow('client-admin')->toOwn(User::class);

        // Sites
        Bouncer::ownedVia(Site::class, function ($site, $user) {
            return $site->client->id === $user->client->id;
        });
        Bouncer::allow('client-user')->toOwn(Site::class)->to(['view', 'update']);
        Bouncer::allow('client-admin')->toOwn(Site::class);

        // Plots
        Bouncer::ownedVia(Plot::class, function ($plot, $user) {
            return $plot->site->client->id === $user->client->id;
        });
        Bouncer::allow('client-user')->toOwn(Plot::class);
        Bouncer::allow('client-admin')->toOwn(Plot::class);

        // Sales Statuses
        Bouncer::ownedVia(SalesStatus::class, function ($status, $user) {
            return $status->client->id === $user->client->id;
        });
        Bouncer::allow('client-user')->to('view', SalesStatus::class);
        Bouncer::allow('client-admin')->toOwn(SalesStatus::class);
    }
}

## ClientPolicy.php
<?php

namespace App\Policies;

use App\User;
use App\Client;
use Illuminate\Auth\Access\HandlesAuthorization;

class ClientPolicy
{
    use HandlesAuthorization;

    /**
     * Determine whether the user can view any clients.
     *
     * @param  \App\User  $user
     * @return mixed
     */
    public function viewAny(User $user): bool
    {
        return $user->can('view', Client::class);
    }

    /**
     * Determine whether the user can view the client.
     *
     * @param  \App\User  $user
     * @param  \App\Client  $client
     * @return mixed
     */
    public function view(User $user, Client $client): bool
    {
        return $user->can('view', $client);
    }

    /**
     * Determine whether the user can create clients.
     *
     * @param  \App\User  $user
     * @return mixed
     */
    public function create(User $user): bool
    {
        return $user->can('create', Client::class);
    }

    /**
     * Determine whether the user can update the client.
     *
     * @param  \App\User  $user
     * @param  \App\Client  $client
     * @return mixed
     */
    public function update(User $user, Client $client): bool
    {
        return $user->can('update', $client);
    }

    /**
     * Determine whether the user can delete the client.
     *
     * @param  \App\User  $user
     * @param  \App\Client  $client
     * @return mixed
     */
    public function delete(User $user, Client $client): bool
    {
        return $user->can('delete', $client);
    }

    /**
     * Determine whether the user can restore the client.
     *
     * @param  \App\User  $user
     * @param  \App\Client  $client
     * @return mixed
     */
    public function restore(User $user, Client $client): bool
    {
        return $user->can('restore', $client);
    }

    /**
     * Determine whether the user can permanently delete the client.
     *
     * @param  \App\User  $user
     * @param  \App\Client  $client
     * @return mixed
     */
    public function forceDelete(User $user, Client $client): bool
    {
        return $user->can('forceDelete', $client);
    }
}
	<?php

	use App\Client;
	use App\User;
	use App\Site;
	use App\Plot;
	use App\SalesStatus;
	use Silber\Bouncer\BouncerFacade as Bouncer;
	use Illuminate\Database\Seeder;

	class AbilitySeeder extends Seeder
	{
	/**
	* Run the database seeds.
	*
	* @return void
	*/
	public function run()
	{
	Bouncer::allow('superadmin')->everything();

	// futurium admins can do everything APART from create superadmins
	Bouncer::allow('futurium-admin')->everything();
	Bouncer::forbid('futurium-admin')->to('make-superadmin', User::class);

	// Clients
	Bouncer::ownedVia(Client::class, function ($client, $user) {
	return $client->id === $user->client->id;
	});
	Bouncer::allow('client-admin')->toOwn(Client::class)->to(['view', 'update']);
	Bouncer::allow('client-user')->to('view', Client::class);

	// Users
	Bouncer::ownedVia(User::class, function ($user, $model) {
	return $user->client->id === $model->client->id;
	});
	Bouncer::allow('client-admin')->toOwn(User::class);

	// Sites
	Bouncer::ownedVia(Site::class, function ($site, $user) {
	return $site->client->id === $user->client->id;
	});
	Bouncer::allow('client-user')->toOwn(Site::class)->to(['view', 'update']);
	Bouncer::allow('client-admin')->toOwn(Site::class);

	// Plots
	Bouncer::ownedVia(Plot::class, function ($plot, $user) {
	return $plot->site->client->id === $user->client->id;
	});
	Bouncer::allow('client-user')->toOwn(Plot::class);
	Bouncer::allow('client-admin')->toOwn(Plot::class);

	// Sales Statuses
	Bouncer::ownedVia(SalesStatus::class, function ($status, $user) {
	return $status->client->id === $user->client->id;
	});
	Bouncer::allow('client-user')->to('view', SalesStatus::class);
	Bouncer::allow('client-admin')->toOwn(SalesStatus::class);
	}
	}
	<?php

	namespace App\Policies;

	use App\User;
	use App\Client;
	use Illuminate\Auth\Access\HandlesAuthorization;

	class ClientPolicy
	{
	use HandlesAuthorization;

	/**
	* Determine whether the user can view any clients.
	*
	* @param \App\User $user
	* @return mixed
	*/
	public function viewAny(User $user): bool
	{
	return $user->can('view', Client::class);
	}

	/**
	* Determine whether the user can view the client.
	*
	* @param \App\User $user
	* @param \App\Client $client
	* @return mixed
	*/
	public function view(User $user, Client $client): bool
	{
	return $user->can('view', $client);
	}

	/**
	* Determine whether the user can create clients.
	*
	* @param \App\User $user
	* @return mixed
	*/
	public function create(User $user): bool
	{
	return $user->can('create', Client::class);
	}

	/**
	* Determine whether the user can update the client.
	*
	* @param \App\User $user
	* @param \App\Client $client
	* @return mixed
	*/
	public function update(User $user, Client $client): bool
	{
	return $user->can('update', $client);
	}

	/**
	* Determine whether the user can delete the client.
	*
	* @param \App\User $user
	* @param \App\Client $client
	* @return mixed
	*/
	public function delete(User $user, Client $client): bool
	{
	return $user->can('delete', $client);
	}

	/**
	* Determine whether the user can restore the client.
	*
	* @param \App\User $user
	* @param \App\Client $client
	* @return mixed
	*/
	public function restore(User $user, Client $client): bool
	{
	return $user->can('restore', $client);
	}

	/**
	* Determine whether the user can permanently delete the client.
	*
	* @param \App\User $user
	* @param \App\Client $client
	* @return mixed
	*/
	public function forceDelete(User $user, Client $client): bool
	{
	return $user->can('forceDelete', $client);
	}
	}