Ability to define Nova-specific authorization policies

[adamthehutt]

We're using Nova in a multi-tenant application that has existing access policies defined for nearly all models. The rules that make sense in the application's front-end context don't really make sense in the Nova back-end context. It would be helpful if Nova provided a way to override the default access policies with specific ones to be applied only in Nova.

[danrichards]

Have you tried detecting the context in AuthServiceProvider and mounting your policies accordingly?

class AuthServiceProvider extends ServiceProvider
{
    protected $policies = [ ... ];

    protected $nova_policies = [ ... ];

    public function boot()
    {
        if (request()->segment(1) == ltrim(config('nova.path'), '/')) {
            $this->registerNovaPolicies();
        } else {
            $this->registerPolicies();
        }
    }

    public function registerNovaPolicies()
    {
        foreach ($this->nova_policies as $key => $value) {
            Gate::policy($key, $value);
        }
    }
}

[adamthehutt]

Thanks. That would work but it's got some code smell to it, IMHO.

[srottem]

This approach doesn't seem to work - the original policies in the $policies member are still loaded.

[danrichards]

@srottem I would check if you have policies being registered elsewhere.

Service providers for third-party packages sometimes register their own. In the Nova context particularly, gates are often registered in ToolServiceProvider for any third-party tools you may have installed.

Additionally, you can debug with dd(\Gate::policies()) and see exactly what is registered at run-time.

In my case, I only register policies when using Nova, otherwise, I don't register any. Good Luck!

[srottem]

The problem is that config('nova.path') only applies to the UI requests - the API calls also need the correct policies applied but they're at 'nova-api'. Making the if statement apply to both appears to work.

[jesseleite]

@srottem I did this to cover both UI and API requests:

/**
 * Register any authentication / authorization services.
 *
 * @return void
 */
public function boot()
{
    if ($this->isNovaEndpoint()) {
        $this->registerNovaPolicies();
    } else {
        $this->registerPolicies();
    }
}

/**
 * Check if the current endpoint is a nova related endpoint.
 *
 * @return bool
 */
private function isNovaEndpoint()
{
    return starts_with(request()->segment(1), ltrim(config('nova.path'), '/'));
}

Maybe Nova will provide a slicker solution to app vs. nova policies in the future, but this works for now.

[mathieutu]

Actually it doesn't work if you changed your nova path.

[mathieutu]

I made it working with a better hack.
Not a real solution, but it works (based on "nova" middleware) 🤷‍♂️.

https://gist.github.com/mathieutu/d742046ca00fad76c78fc3a6334ddadc

[3adeling]

you should check also for 'nova-api' route segment

if('/' . request()->segment(1) == config('nova.path') || request()->segment(1) == 'nova-api') {
            $this->registerNovaPolicies();
} else {
            $this->registerPolicies();
}

[yurii-github]

thanks guys!

my current helper method

    /**
     * Check if the current endpoint is a nova related endpoint.
     *
     * @return bool TRUE if it is Nova, FALSE otherwise
     */
    public static function isNovaEndpoint()
    {
        static $isNovaEnpoint = null;

        if ($isNovaEnpoint !== null) {
            return $isNovaEnpoint;
        }

        // if we've used admin subdomain
        if (Config::get('nova.domain') && Config::get('nova.domain') === Request::getHttpHost()) {
            return $isNovaEnpoint = true;
        }

        // Nova path
        if (Request::segment(1) === Config::get('nova.path')) {
            return $isNovaEnpoint = true;
        }

        // un-documented Nova API calls path!
        if (Request::segment(1) === 'nova-api') {
            return $isNovaEnpoint = true;
        }

        return $isNovaEnpoint = false;
    }

[FrittenKeeZ]

This can be done quite easily with Laravel 5.8 policy resolver.

/**
 * Register any authentication / authorization services.
 *
 * @return void
 */
public function boot()
{
    $namespace = 'App\\Policies\\';
    Nova::serving(function () use (&$namespace) {
        $namespace .= 'Nova\\';
    });
    Gate::guessPolicyNamesUsing(function ($class) use (&$namespace) {
        return $namespace . class_basename($class) . 'Policy';
    });
}

[davidhemphill]

Use the Nova::serving event to register your authorization policies.

[yurii-github]

@davidhemphill
no man, you didn't get the main issue. The main issue is to register ONLY nova policies while having other policies for general app.