Lomkit
diff --git a/‎src/Concerns/Authorizable.php
Lines changed: 149 additions & 5 deletions b/‎src/Concerns/Authorizable.php
Lines changed: 149 additions & 5 deletions
diff --git a/‎src/Relations/BelongsTo.php
Lines changed: 15 additions & 2 deletions b/‎src/Relations/BelongsTo.php
Lines changed: 15 additions & 2 deletions
diff --git a/‎src/Relations/BelongsToMany.php
Lines changed: 36 additions & 10 deletions b/‎src/Relations/BelongsToMany.php
Lines changed: 36 additions & 10 deletions
diff --git a/‎src/Relations/HasMany.php
Lines changed: 12 additions & 1 deletion b/‎src/Relations/HasMany.php
Lines changed: 12 additions & 1 deletion
diff --git a/‎src/Relations/HasOne.php
Lines changed: 12 additions & 1 deletion b/‎src/Relations/HasOne.php
Lines changed: 12 additions & 1 deletion
diff --git a/‎src/Relations/HasOneOfMany.php
Lines changed: 12 additions & 1 deletion b/‎src/Relations/HasOneOfMany.php
Lines changed: 12 additions & 1 deletion
diff --git a/‎src/Relations/MorphMany.php
Lines changed: 12 additions & 1 deletion b/‎src/Relations/MorphMany.php
Lines changed: 12 additions & 1 deletion
diff --git a/‎src/Relations/MorphOne.php
Lines changed: 13 additions & 2 deletions b/‎src/Relations/MorphOne.php
Lines changed: 13 additions & 2 deletions
@@ -14,8 +14,8 @@ trait Authorizable
     /**
      * Determine if the current user has a given ability.
      *
-     * @param \Illuminate\Http\Request $request
-     * @param string                   $ability
+     * @param string       $ability
+     * @param Model|string $model
      *
      * @throws \Illuminate\Auth\Access\AuthorizationException
      *
@@ -53,10 +53,10 @@ public function authorizeTo($ability, $model)
     }
 
     /**
-     * Determine if the current user can view the given resource.
+     * Determine if the current user can perform an ability on the given model.
      *
-     * @param \Illuminate\Http\Request $request
-     * @param string                   $ability
+     * @param string       $ability
+     * @param Model|string $model
      *
      * @return bool
      */
@@ -88,4 +88,148 @@ public function authorizedTo($ability, $model)
 
         return true;
     }
+
+    /**
+     * Determine if the current user has a given ability.
+     *
+     * @param string $ability
+     *                        * @param Model $model
+     *                        * @param string $toActionModel
+     *
+     * @throws \Illuminate\Auth\Access\AuthorizationException
+     *
+     * @return void
+     */
+    public function authorizeToPerformActionOnRelationship($ability, $model, $toActionModel)
+    {
+        $gate = Gate::getPolicyFor($model);
+        $method = $ability.class_basename($toActionModel);
+
+        if (!is_null($gate) && method_exists($gate, $method) && $this->isAuthorizingEnabled()) {
+            $resolver = function () use ($method, $gate, $model, $toActionModel) {
+                return !is_null($gate) && method_exists($gate, $method)
+                    ? Gate::authorize($method, [$model, $toActionModel])
+                    : true;
+            };
+
+            if ($this->isAuthorizationCacheEnabled()) {
+                $gatePasses = Cache::remember(
+                    $this->getAuthorizationCacheKey(
+                        app(RestRequest::class),
+                        sprintf(
+                            '%s.%s.%s.%s.%s',
+                            $ability,
+                            $model instanceof Model ? Str::snake((new \ReflectionClass($model))->getShortName()) : $model,
+                            $model instanceof Model ? $model->getKey() : null,
+                            $toActionModel instanceof Model ? Str::snake((new \ReflectionClass($toActionModel))->getShortName()) : $toActionModel,
+                            $toActionModel instanceof Model ? $toActionModel->getKey() : null,
+                        )
+                    ),
+                    $this->cacheAuthorizationFor(),
+                    $resolver
+                );
+            } else {
+                $gatePasses = $resolver();
+            }
+
+            if (!$gatePasses) {
+                Response::deny()->authorize();
+            }
+        }
+    }
+
+    /**
+     * Determine if the current user can perform an ability on the given model.
+     *
+     * @param string $ability
+     * @param Model  $model
+     * @param string $toActionModel
+     *
+     * @return bool
+     */
+    public function authorizedToPerformActionOnRelationship($ability, $model, $toActionModel)
+    {
+        $gate = Gate::getPolicyFor($model);
+        $method = $ability.class_basename($toActionModel);
+
+        if (!is_null($gate) && method_exists($gate, $method) && $this->isAuthorizingEnabled()) {
+            $resolver = function () use ($method, $toActionModel, $model) {
+                return Gate::check($method, [$model, $toActionModel]);
+            };
+
+            if ($this->isAuthorizationCacheEnabled()) {
+                return Cache::remember(
+                    $this->getAuthorizationCacheKey(
+                        app(RestRequest::class),
+                        sprintf(
+                            '%s.%s.%s.%s.%s',
+                            $ability,
+                            $model instanceof Model ? Str::snake((new \ReflectionClass($model))->getShortName()) : $model,
+                            $model instanceof Model ? $model->getKey() : null,
+                            $toActionModel instanceof Model ? Str::snake((new \ReflectionClass($toActionModel))->getShortName()) : $toActionModel,
+                            $toActionModel instanceof Model ? $toActionModel->getKey() : null,
+                        )
+                    ),
+                    $this->cacheAuthorizationFor(),
+                    $resolver
+                );
+            }
+
+            return $resolver();
+        }
+
+        return true;
+    }
+
+    /**
+     * Determine if the user can attach models of the given type to the base model.
+     *
+     * @param \Illuminate\Database\Eloquent\Model|string $model
+     * @param \Illuminate\Database\Eloquent\Model|string $toAttachModel
+     *
+     * @return bool
+     */
+    public function authorizedToAttach($model, $toAttachModel)
+    {
+        return $this->authorizedToPerformActionOnRelationship('attach', $model, $toAttachModel);
+    }
+
+    /**
+     * Determine if the user can attach models of the given type to the base model.
+     *
+     * @param \Illuminate\Database\Eloquent\Model|string $model
+     * @param \Illuminate\Database\Eloquent\Model|string $toAttachModel
+     *
+     * @return void
+     */
+    public function authorizeToAttach($model, $toAttachModel)
+    {
+        $this->authorizeToPerformActionOnRelationship('attach', $model, $toAttachModel);
+    }
+
+    /**
+     * Determine if the user can detach models of the given type to the base model.
+     *
+     * @param \Illuminate\Database\Eloquent\Model|string $model
+     * @param \Illuminate\Database\Eloquent\Model|string $toAttachModel
+     *
+     * @return bool
+     */
+    public function authorizedToDetach($model, $toAttachModel)
+    {
+        return $this->authorizedToPerformActionOnRelationship('detach', $model, $toAttachModel);
+    }
+
+    /**
+     * Determine if the user can detach models of the given type to the base model.
+     *
+     * @param \Illuminate\Database\Eloquent\Model|string $model
+     * @param \Illuminate\Database\Eloquent\Model|string $toAttachModel
+     *
+     * @return void
+     */
+    public function authorizeToDetach($model, $toAttachModel)
+    {
+        $this->authorizeToPerformActionOnRelationship('detach', $model, $toAttachModel);
+    }
 }
@@ -17,11 +17,24 @@ class BelongsTo extends Relation implements RelationResource
      */
     public function beforeMutating(Model $model, Relation $relation, array $mutationRelations)
     {
+        $toPerformActionModel = app()->make(QueryBuilder::class, ['resource' => $relation->resource()])
+            ->applyMutation($mutationRelations[$relation->relation]);
+
+        switch ($mutationRelations[$relation->relation]['operation']) {
+            case 'create':
+            case 'update':
+            case 'attach':
+                $this->resource()->authorizeToAttach($model, $toPerformActionModel);
+                break;
+            case 'detach':
+            $this->resource()->authorizeToDetach($model, $toPerformActionModel);
+            break;
+        }
+
         $model
             ->{$relation->relation}()
             ->{$mutationRelations[$relation->relation]['operation'] === 'detach' ? 'dissociate' : 'associate'}(
-                app()->make(QueryBuilder::class, ['resource' => $relation->resource()])
-                   ->applyMutation($mutationRelations[$relation->relation])
+                $toPerformActionModel
             );
     }
 }
@@ -47,25 +47,31 @@ public function afterMutating(Model $model, Relation $relation, array $mutationR
     {
         foreach ($mutationRelations[$relation->relation] as $mutationRelation) {
             if ($mutationRelation['operation'] === 'detach') {
+                $toDetachModel = app()->make(QueryBuilder::class, ['resource' => $relation->resource()])
+                    ->applyMutation($mutationRelation);
+
+                $this->resource()->authorizeToDetach($model, $toDetachModel);
+
                 $model
                     ->{$relation->relation}()
                     ->detach(
-                        app()->make(QueryBuilder::class, ['resource' => $relation->resource()])
-                            ->applyMutation($mutationRelation)
-                            ->getKey()
+                        $toDetachModel->getKey()
                     );
             } elseif ($mutationRelation['operation'] === 'attach') {
+                $toAttachModel = app()->make(QueryBuilder::class, ['resource' => $relation->resource()])
+                    ->applyMutation($mutationRelation);
+
+                $this->resource()->authorizeToAttach($model, $toAttachModel);
+
                 $model
                     ->{$relation->relation}()
                     ->attach(
                         [
-                            app()->make(QueryBuilder::class, ['resource' => $relation->resource()])
-                                ->applyMutation($mutationRelation)
-                                ->getKey() => $mutationRelation['pivot'] ?? [],
+                            $toAttachModel->getKey() => $mutationRelation['pivot'] ?? [],
                         ]
                     );
             } elseif ($mutationRelation['operation'] === 'toggle') {
-                $model
+                $results = $model
                     ->{$relation->relation}()
                     ->toggle(
                         [
@@ -74,8 +80,16 @@ public function afterMutating(Model $model, Relation $relation, array $mutationR
                                 ->getKey() => $mutationRelation['pivot'] ?? [],
                         ]
                     );
+
+                foreach ($results['attached'] as $attached) {
+                    $this->resource()->authorizeToAttach($model, $relation->resource()::$model::find($attached));
+                }
+
+                foreach ($results['detached'] as $detached) {
+                    $this->resource()->authorizeToDetach($model, $relation->resource()::$model::find($detached));
+                }
             } elseif ($mutationRelation['operation'] === 'sync') {
-                $model
+                $results = $model
                     ->{$relation->relation}()
                     ->sync(
                         [
@@ -85,13 +99,25 @@ public function afterMutating(Model $model, Relation $relation, array $mutationR
                         ],
                         !isset($mutationRelation['without_detaching']) || !$mutationRelation['without_detaching']
                     );
+
+                foreach ($results['attached'] as $attached) {
+                    $this->resource()->authorizeToAttach($model, $relation->resource()::$model::find($attached));
+                }
+
+                foreach ($results['detached'] as $detached) {
+                    $this->resource()->authorizeToDetach($model, $relation->resource()::$model::find($detached));
+                }
             } elseif (in_array($mutationRelation['operation'], ['create', 'update'])) {
+                $toAttachModel = app()->make(QueryBuilder::class, ['resource' => $relation->resource()])
+                    ->applyMutation($mutationRelation);
+
+                $this->resource()->authorizeToAttach($model, $toAttachModel);
+
                 $model
                     ->{$relation->relation}()
                     ->syncWithoutDetaching(
                         [
-                            app()->make(QueryBuilder::class, ['resource' => $relation->resource()])
-                                ->applyMutation($mutationRelation)
+                            $toAttachModel
                                 ->getKey() => $mutationRelation['pivot'] ?? [],
                         ]
                     );
 
@@ -25,8 +25,19 @@ public function afterMutating(Model $model, Relation $relation, array $mutationR
                 $model->{$relation->relation}()->getForeignKeyName() => $mutationRelation['operation'] === 'detach' ? null : $model->{$relation->relation}()->getParentKey(),
             ];
 
-            app()->make(QueryBuilder::class, ['resource' => $relation->resource()])
+            $toPerformActionModel = app()->make(QueryBuilder::class, ['resource' => $relation->resource()])
                 ->applyMutation($mutationRelation, $attributes);
+
+            switch ($mutationRelation['operation']) {
+                case 'create':
+                case 'update':
+                case 'attach':
+                    $this->resource()->authorizeToAttach($model, $toPerformActionModel);
+                    break;
+                case 'detach':
+                $this->resource()->authorizeToDetach($model, $toPerformActionModel);
+                break;
+            }
         }
     }
 }
@@ -21,7 +21,18 @@ public function afterMutating(Model $model, Relation $relation, array $mutationR
             $model->{$relation->relation}()->getForeignKeyName() => $mutationRelations[$relation->relation]['operation'] === 'detach' ? null : $model->{$relation->relation}()->getParentKey(),
         ];
 
-        app()->make(QueryBuilder::class, ['resource' => $relation->resource()])
+        $toPerformActionModel = app()->make(QueryBuilder::class, ['resource' => $relation->resource()])
             ->applyMutation($mutationRelations[$relation->relation], $attributes);
+
+        switch ($mutationRelations[$relation->relation]['operation']) {
+            case 'create':
+            case 'update':
+            case 'attach':
+                $this->resource()->authorizeToAttach($model, $toPerformActionModel);
+                break;
+            case 'detach':
+            $this->resource()->authorizeToDetach($model, $toPerformActionModel);
+            break;
+        }
     }
 }
@@ -21,7 +21,18 @@ public function afterMutating(Model $model, Relation $relation, array $mutationR
             $model->{$relation->relation}()->getForeignKeyName() => $mutationRelations[$relation->relation]['operation'] === 'detach' ? null : $model->{$relation->relation}()->getParentKey(),
         ];
 
-        app()->make(QueryBuilder::class, ['resource' => $relation->resource()])
+        $toPerformActionModel = app()->make(QueryBuilder::class, ['resource' => $relation->resource()])
             ->applyMutation($mutationRelations[$relation->relation], $attributes);
+
+        switch ($mutationRelations[$relation->relation]['operation']) {
+            case 'create':
+            case 'update':
+            case 'attach':
+                $this->resource()->authorizeToAttach($model, $toPerformActionModel);
+                break;
+            case 'detach':
+            $this->resource()->authorizeToDetach($model, $toPerformActionModel);
+            break;
+        }
     }
 }
@@ -26,8 +26,19 @@ public function afterMutating(Model $model, Relation $relation, array $mutationR
                 $model->{$relation->relation}()->getMorphType()      => $model::class,
             ];
 
-            app()->make(QueryBuilder::class, ['resource' => $relation->resource()])
+            $toPerformActionModel = app()->make(QueryBuilder::class, ['resource' => $relation->resource()])
                 ->applyMutation($mutationRelation, $attributes);
+
+            switch ($mutationRelation['operation']) {
+                case 'create':
+                case 'update':
+                case 'attach':
+                    $this->resource()->authorizeToAttach($model, $toPerformActionModel);
+                    break;
+                case 'detach':
+                $this->resource()->authorizeToDetach($model, $toPerformActionModel);
+                break;
+            }
         }
     }
 }
@@ -19,10 +19,21 @@ public function afterMutating(Model $model, Relation $relation, array $mutationR
     {
         $attributes = [
             $model->{$relation->relation}()->getForeignKeyName() => $mutationRelations[$relation->relation]['operation'] === 'detach' ? null : $model->{$relation->relation}()->getParentKey(),
-            $model->{$relation->relation}()->getMorphType()      => $model::class,
+            $model->{$relation->relation}()->getMorphType()      => $mutationRelations[$relation->relation]['operation'] === 'detach' ? null : $model::class,
         ];
 
-        app()->make(QueryBuilder::class, ['resource' => $relation->resource()])
+        $toPerformActionModel = app()->make(QueryBuilder::class, ['resource' => $relation->resource()])
             ->applyMutation($mutationRelations[$relation->relation], $attributes);
+
+        switch ($mutationRelations[$relation->relation]['operation']) {
+            case 'create':
+            case 'update':
+            case 'attach':
+                $this->resource()->authorizeToAttach($model, $toPerformActionModel);
+                break;
+            case 'detach':
+            $this->resource()->authorizeToDetach($model, $toPerformActionModel);
+            break;
+        }
     }
 }