Get Model Where User Has PermissionX

[SMPEJake]

Hello!

I am probably missing something simple here but is there a way i can use a users role or ability as a where clause on an eloquent query?

Thanks!

[lrljoe]

Couple of relatively easy options, depends on how you're using this.

If you're using a mix of roles and direct abilities, then use getAbilities() and filter on the model you're wanting to look at. Then add the role's abilities in.

You can either trust it or filter it further through an each() loop.

Or if you're using scopes then that's a little easier.

Or if you're using the Owns approach then you should already have the approach for that. May be the easiest solution for you?

[timyourivh]

I do something similar to this in a scope:

// Example to filter entities I'm allowed to "view":
$user = Auth::user(); // Currently logged in user (could be any user with roles and permissions).
$abilities = $user->getAbilities() // Get all the abilities (including the ones inherited from roles).
                ->where('entity_type', get_class(Entity::class)) // Filter permissions that concern this model.
                ->where('name', 'view') // Filter specific permission.
                ->pluck('id'); // Get all ID's of the resulting entities.

Entity::whereIn('id', $abilities)->get(); // Expected output: Enities where user has permissions to "view".

For anyone interested here's my scope:

My scope method

---

Run php artisan make:scope PermissionScope and add this to it:

<?php
namespace App\Models\Scopes;

use Illuminate\Database\Eloquent\Builder;
use Illuminate\Database\Eloquent\Model;
use Illuminate\Database\Eloquent\Scope;
use Illuminate\Support\Facades\Auth;

class PermissionScope implements Scope
{
  /**
   * Apply the scope to a given Eloquent query builder.
   */
  public function apply(Builder $builder, Model $model): void
  {
      if (Auth::hasUser()) {
          // Exclude forbidden items.
          $builder->whereNotIn('id', Auth::user()->getForbiddenAbilities()->where('entity_type', get_class($model))->pluck('entity_id'));

          // Filter explicit allowed items.
          $allowed = Auth::user()->getAbilities()->where('entity_type', get_class($model));
          if ($allowed->whereNotNull('entity_id')->isNotEmpty() && $allowed->where('name', '*')->whereNull('entity_id')->isEmpty()) {
              $builder->whereIn('id', $allowed->pluck('entity_id'));
          }
      }
  }
}

What this scope does:

• Filters out forbidden records
• Filters out records when user is allowed to "viewAny" but only "view" specific records

I then put it in a trait:

1. Create a file app\Concerns\FilterAllowed.php
2. Add this to the file:

<?php

namespace App\Concerns;

use App\Models\Scopes\PermissionScope;

trait FilterAllowed {
  /**
   * Boot the filter allowed trait for a model.
   */
  public static function bootFilterAllowed(): void
  {
      static::addGlobalScope(new PermissionScope);
  }
}

3. Add trait to model to make use of it:

use App\Concerns\FilterAllowed;

class Entity extends Model
{
    use FilterAllowed;
}

Now, whenever I want the records automatically to be filtered I just add the trait to the model.

[EriBloo]

I have something similiar to @timyourivh in my app:

/**
 * Class PermissionConstrained
 *
 * Implements the Scope interface to apply permission constraints to a given Eloquent query builder.
 */
class PermissionConstrained implements Scope
{
    /**
     * Apply the scope to a given Eloquent query builder.
     *
     * @param  Builder  $builder The Eloquent query builder instance.
     * @param  Model&IsPermissionConstrained  $model The model instance to which the scope is applied.
     */
    public function apply(Builder $builder, Model $model): void
    {
        // If checkPermissions is not true or the user is a guest,
        // return without applying the scope.
        if (! $model::$checkPermissions || auth()->guest()) {
            return;
        }

        // Get the permissions that the authenticated user is forbidden from viewing.
        $forbidden = $this->getPermissions($model, false);

        // If the user is forbidden from viewing all records of this model,
        // return an empty result set.
        if ($forbidden->contains(fn (Ability $ability) => $ability->entity_id === null)) {
            $builder->where($model->getKeyName(), null);

            return;
        }

        // Get the permissions that the authenticated user is allowed to view.
        $allowed = $this->getPermissions($model);

        // If the user is allowed to view all records of this model, return without applying the scope.
        if ($allowed->contains(fn (Ability $ability) => $ability->entity_id === null)) {
            return;
        }

        // Apply the scope to the query builder.
        $builder->whereIn("{$model->getTable()}.{$model->getKeyName()}", $allowed->pluck('entity_id')->toArray());
        $builder->whereNotIn("{$model->getTable()}.{$model->getKeyName()}", $forbidden->pluck('entity_id')->toArray());
    }

    /**
     * Extend the query builder with the scope.
     *
     * @param  Builder  $builder The query builder instance.
     */
    public function extend(Builder $builder): void
    {
        $builder->macro('ignorePermissions', function (Builder $builder): Builder {
            return $builder->withoutGlobalScope($this);
        });
    }

    /**
     * Get the permissions for the given model and allowed flag.
     *
     * @param  Model  $model The model instance for which to get the permissions.
     * @param  bool  $allowed The flag indicating whether to get allowed or forbidden permissions.
     * @return Collection The collection of permissions.
     */
    private function getPermissions(Model $model, bool $allowed = true): Collection
    {
        return Cache::driver('array')->sear(
            $this->getCacheKey($model, $allowed),
            function () use ($model, $allowed) {
                return auth()->user()?->{$allowed ? 'getAbilities' : 'getForbiddenAbilities'}()
                    ->whereIn('name', ['*', 'view'])
                    ->whereIn('entity_type', ['*', $model::class]);
            }
        );
    }

    /**
     * Get the cache key for the given model and allowed flag.
     *
     * @param  Model  $model The model instance for which to get the cache key.
     * @param  bool  $allowed The flag indicating whether to include the allowed or forbidden permissions in the cache key.
     * @return string The cache key for the model and allowed flag.
     */
    private function getCacheKey(Model $model, bool $allowed = true): string
    {
        return implode(':', ['permissions', $model->getMorphClass(), $allowed ? 'a' : 'f']);
    }

and trait:

trait IsPermissionConstrained
{
   public static bool $checkPermissions = true;

   public static function bootIsPermissionConstrained(): void
   {
       self::addGlobalScope(new PermissionConstrained);
   }

   public static function withoutPermissions(Closure $closure): void
   {
       self::$checkPermissions = false;
       $closure();
       self::$checkPermissions = true;
   }
}

I have 2 ways to disable permissions. First is ignorePermissions() method - this will disable the scope only for current query. The other is $checkPermissions static variable. The idea is that I have this trait connected to base model that all other models extend from, and when I set Model::checkPermissions = false all queries (including relations) will ignore permissions. There is also helper withoutPermissions method to execute queries closure ignoring permissions.

Scope caches all permissions in array driver - so only for current request (might not work with Octane). This speeds up abilities retrieval greatly with many permissions.