Customising Authorisation

Textstem's role and permission system can be extended allowing for specific authorisation rules to be applied for specific models, actions or event on model instances. For example, you may have a site with an editor role who has permission to edit pages.  However, you wish the limit the editor abilities, so that an editor can only manage certan pages (such as those tagged a certain way). So do this, we create a class in the \App\Domain\Admin\Auth\  directory like this:

<?php

namespace App\Domain\Admin\Auth;

use Illuminate\Support\Str;
use Medialight\Textstem\Models\User;
use Medialight\Textstem\Models\WranglerPage as WranglerPageModel;

class WranglerPage
{

    public function allowed(User $user, WranglerPageModel $model, $action = '')
    {
		// return true if the user is allowed to do the action 
		// on this specific page model
		return $user->responsibilities($model->category)    
	}
}

Note - the default WranglerPagePolicy is to check permission and, if there is an class in the App directory to use, check if the action on that specdific model is allowed. 

public function update(User $user, WranglerPage $model): bool
{
	return $user->hasPermissionTo('update wranglerpages') 
		&& $this->checkModelAccess($user, $model, 'update');
}

It is also possible to filter lists in the admin system according to the user's role. This is achieved using a 'scopes' method  in this class:

<?php

namespace App\Domain\Admin\Auth;

use Medialight\Textstem\Models\User;


class WranglerPage
{

    public function allowed(User $user, WranglerPageModel $model, $action = '')
    {
		...
    }

    public function scopes(&$query, $user = null)
    {
        if (!$user)
        {
            $user = auth()->user();
        }
        $region = user->regionOfResp();
        $query->orWhere('url', 'LIKE', "/$region%");
    }
}