0

I'm trying to have access level control through policy in my Laravel 5.6 application.

I have a Subscriber model and a Company model, Subscribers are only given access to Company by there office locations according to states/region, i.e. a subscriber can view the details of the office if it belongs to the region being assigned to them. for this I have models:

Subscriber

class Subscriber extends Model {

    //Fillables and basic attributes being assigned

    public function stateIncludeRelation()
    {
        return  $this->belongsToMany('Models\State','subscriber_states',
            'subscriber_id', 'state_id');
    }

    public function user()
    {
        return $this->belongsTo('Models\User', 'user_id', 'id');
    }
}

Company

class Company extends Model {

    //Fillables and basic attributes being assigned

    public function offices()
    {
        return $this->hasMany('Models\Company\Office', 'company_id');
    }
}

then for Office

class Office extends Model {

    //Fillables and basic attributes being assigned

    public function company()
    {
        return $this->belongsTo('Models\Company', 'company_id', 'id');
    }}
}

And a common State table:

class State extends Model {

    //Fillables and basic attributes being assigned

    public function subscriberAccess()
    {
        return $this->belongsToMany('Models\Subscriber',
            'subscriber_states_included_relation',
            'state_id', 'subscriber_id');
    }

    public function companyOffice()
    {
        return $this->hasOne('Models\Company\Office', 'state', 'id');
    }
}

I created a CompanyPolicy something like this:

class CompanyPolicy
{
    use HandlesAuthorization;

    /**
     * Determine whether the user can view the subscriber.
     *
     * @param User $user
     * @param Company $company
     * @return mixed
     */
    public function view(User $user, Company $company)
    {
        //Finding subscriber/user state
        $userState = State::whereHas('subscriberAccess', function ($q) use($user) {
            $q->whereHas('user', function ($q) use($user) {
                $q->where('email', $user->email);
            });
        })->get()->pluck('name');

        //Finding company state
        $companyState = State::whereHas('companyOffice', function ($q) use($company) {
            $q->whereHas('company', function ($q) use($company) {
                $q->where('slug', $company->slug);
            });
        })->get()->pluck('name');

        if($userState->intersect($companyState)->all())
            return true;
        else
            return false;
    }
}

And registered this to AuthServiceProvider

protected $policies = [
    'App\Model' => 'App\Policies\ModelPolicy',
    'Models\User' => 'Policies\CompanyPolicy',
];

While trying to fetch something like this in my controller:

public function companyGeneral(Request $request)
{
    $user = Auth::user();

    $company = Company::where('slug', $request->slug)
        ->with('offices')
        ->get()->first();

    if($user->can('view', $company))
        return response()->json(['data' => $company], 200);
    else
        return response()->json(['data' => 'Unauthorised'], 403);
}

Everytime I am getting Unauthorised response. Guide me into this. Thanks

Nitish Kumar
  • 6,054
  • 21
  • 82
  • 148
  • Just FYI, you don't need to call `get()` before `first()` and `pluck()` e.g. `->get()->pluck('name')` can just be `->pluck('name')`. – Rwd Jun 08 '18 at 19:04
  • @RossWilson thanks for the update. Will surely improvise on this. – Nitish Kumar Jun 08 '18 at 19:07

0 Answers0