Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Set access for each item

See original GitHub issue

Seems like there is no option for setting access for each item individually.

For example, I wanted to limit updating/editing/deleting access to the user who has created the post (or to users that have certain permissions).

I implemented backend verification like this:

public function update(UpdateRequest $request)
    {
        $this->denyIfNotParent($request->get('id'));
        //...
    }

public function edit($id)
    {
        $this->denyIfNotParent($id);

        return parent::edit($id);
    }

public function destroy($id)
    {
        $this->denyIfNotParent($id);

        return parent::destroy($id);
    }
public function denyIfNotParent($id)
    {
        if(accessLogicHere()){
            abort(403);
        }
    }

But I couldn’t hide buttons (Edit, Delete).

Any suggestions?

Thanks.

Issue Analytics

State:
Created 7 years ago
Comments:21 (14 by maintainers)

Top GitHub Comments

5reactions

aula2030commented, Aug 11, 2020

Hi! I was looking for the same behaviour. In version 4.1, I had to do:

I’m NOT denying access to all.
Overwrite button view and add condition to show/hide.
Overwrite edit() and update() functions to check/allow/deny access:

use \Backpack\CRUD\app\Http\Controllers\Operations\UpdateOperation { edit as protected editTrait; update as protected updateTrait; }

....
protected function edit($id)
{
    $element = $this->crud->getEntry($id);
    if (condition) {
        $this->crud->allowAccess('update');
    } else {
        $this->crud->denyAccess('update');
    }
    return $this->editTrait($id);
}

protected function update()
{
    $element = $this->crud->getEntry($this->crud->getRequest()->request->get('id'));
    if (condition) {
        $this->crud->allowAccess('update');
    } else {
        $this->crud->denyAccess('update');
    }
    return $this->updateTrait();
}

Denying to all and allowing just when condition is true was not working. Sorry, my knowledge of the package is not so deep yet to explain why 😃

Regards!

4reactions

Librasuluscommented, Feb 27, 2019

I managed permission for each record by doing the following steps:

Restricting access to edit records for all users except administrator by adding to the setup method of the task controller:

 $this->crud->denyAccess('update');            
 if(auth()->user()->hasRole('admin')){
   $this->crud->allowAccess('update');
 }

Opening access to the owner of the record by overriding the edit and update methods:

public function edit($id)
    {
      $task = $this->crud->getEntry($id);
      if (auth()->id() == $task->owner->id) {
      $this->crud->allowAccess('update');
    }
      return parent::edit($id);
    }

public function update(UpdateRequest $request)
    {
      $task = $this->crud->getEntry($request->id);
      if ( auth()->id() == $task->owner->id ){
      $this->crud->allowAccess('update');
    }
      $redirect_location = parent::updateCrud($request);
        
      return $redirect_location;
    }

Adding a permission check on the edit button (update.blade.php) for the owner:

@if (auth()->user()->id==$entry->owner->id || $crud->hasAccess('update'))  
	@if (!$crud->model->translationEnabled())
	<!-- Single edit button -->
	<a href="{{ url($crud->route.'/'.$entry->getKey().'/edit') }}" class="btn btn-xs btn-default"><i class="fa fa-edit"></i> {{ trans('backpack::crud.edit') }}</a>
...

In this way only the records of the logged user have an edit button, unless the user has the appropriate permissions. Also the routes are protected.