viewAny = false policy overrides view

[bilogic]

Package

Table builder

Package Version

3.2.86

How can we help you?

I like my users to be able to update their own user info, but not allowed to view/update other users. Is there a way to achieve using policy alone?

1. When viewAny = false, view and update both won't work (view+update depends on viewAny)
2. If viewAny is meant to refer to index, why does it affect the view and update pages?
3. By the same logic, if we cannot view, why should we be allowed to update? (update does not depend on view)
4. In practice, this is view = false, viewAny = true and update = true, which leaves update enabled
5. I think it is better that these permissions (can/can't load) have no interdependence

[leandrocfe]

You could use Laravel Scopes to show records by user

public function apply(Builder $builder, Model $model): void
{
    $user = auth()->user();
    $builder->whereUserId($user->id);
}

[bilogic]

My scopes are normally in the model's boot(). Which class should I apply this? thanks

[leandrocfe]

You can create scopes: php artisan make:scope YourScope
And use it in your model

#[ScopedBy(YourScope::class)]
class YourModel extends Model
{
...
}

[bilogic]

oh, you meant a scope in a class of its own, ok got it thanks

Side note what I don't like about using scopes is that it scatters the ACL logic into multiple files, i.e. new developer is unaware of the existence of an ACL scope when reading the policy file.

[leandrocfe]

If you don't want to use scopes
https://filamentphp.com/docs/3.x/panels/resources/getting-started#customizing-the-resource-eloquent-query

[bilogic]

Haha, thanks, but it is the same situation, logic scattering, nevermind I will work with what there is

[kimselius]

This actually sucks and makes no sense at all..

There is no possibility to show a single record or make a user update a single record without allowing them to view a listing of all records?

Filters (globally) will work fine if you can scope them to some parameter in the Model or relationship, but if you use records where you don't have this type of scoping it's not possible.

1. Why does viewAny block access to everything? Makes no sense.
2. Why is it not possible to override the access of the listing page except viewAny?
3. It's not possible to remove the listing resource? Everything depends on the index route to be registered?

[dharen008]

I'm facing the same issue. I have two panels: an admin panel and a client panel. Client registration happens in the admin panel, while in the client panel, they can only view their own profile page. I've already configured both panel providers, and there's nothing wrong with those files. The problem is that viewAny is overriding the view permission when it shouldn't. If viewAny overrides everything, what's the point of having separate permissions?

class CompanyPolicy
{
	/**
	 * Determine whether the user can view any models.
	 */
	public function viewAny( User|Company $user ): bool
	{
		if ( $user instanceof User ) {
			return $user->greaterThanAdmin();
		}

                // Logic for Company
		return false;
	}

	/**
	 * Determine whether the user can view the model.
	 */
	public function view( User|Company $user, Company $company ): bool
	{
		if ( $user instanceof User ) {
			return $user->greaterThanAdmin();
		}

                // Logic for Company
		return $user instanceof Company && $user->id === $company->id;
	}
}