Laravel policies with relationship models

Question

I'm trying to stablish an authorization system in my Laravel 7 application via roles, permissions and policies. So far I could stablish authorization for basics operations such as all the CRUD process of a model.

For example. [POST] /roles:

public function store(RoleRequest $request)
{
    $this->authorize('create', Role::class);

    $validated = $request->validated();

    $role = new Role();
    $role->name = $validated['name'];
    $role->label = $validated['label'];
    $role->description = $validated['description'];

    $role->save();

    return new RoleResource($role);
}

The problem is there's models with relationships, and methods in controllers that simply sync these relationships and I don't think this match any of the CRUD operation.

For example. [POST] /roles/{role}/add-permission:

public function assignPermission(Request $request, Role $role)
{
    $validated = $request->validate([
        'permissions' => 'required|array',
        'permissions.*' => 'exists:permissions,id'
    ]);

    $role->permissions()->sync($validated['permissions']);

    return response()->json([
        'message' => 'Permissions assigned correctly',
        'code' => 200
    ], 200);
}

What Policy method should I use for this case?. Should I create a specific policy method for this operation?

you can create any policy methods you would like, they are not limited to any specific set of abilities — lagbox, Nov 20 '20 at 10:04

Laravel policies with relationship models

0 Answers0