Skip to content

Authority Precedence

Jump to bottom Edit New page
Tortue Torche edited this page Mar 17, 2015 · 5 revisions

The authority rules further down in a file will override a previous one. For example, let's say we want the user to be able to do everything to projects except destroy them. This is the correct way.

$this->allow('manage', 'Project');
$this->deny('destroy', 'Project');

It is important that the $this->deny('destroy'... line comes after the $this->allow('manage'... line. If they were reversed, $this->deny('destroy'... would be overridden by $this->allow('manage'.... Therefore, it is best to place the more generic rules near the top.

Adding allow rules do not override prior rules, but instead are logically or'ed.

$this->allow('manage', 'Project', function ($self, $project) {
    return $project->user_id == $self->user()->id;
});

$this->allow('update', 'Project', function ($self, $project) {
    return ! $project->isLocked();
});

For the above, can('update',... will always return true if the $project->user_id equals $self->user()->id, even if the project is locked.

This is also important when dealing with roles which have inherited behavior. For example, let's say we have two roles, moderator and admin. We want the admin to inherit the moderator's behavior.

if ($user->hasRole('moderator')) {
    $this->allow('manage', 'Project');
    $this->deny('destroy', 'Project');
    $this->allow('manage', 'Comment');
}
if ($user->hasRole('admin')) {
    $this->allow('destroy', 'Project');
}

Here it is important the admin role be after the moderator so it can override the deny behavior to give the admin more permissions. See Role Based Authorization.

If you are not getting the behavior you expect, please post an issue.

Additional Docs

Add a custom footer
Add a custom sidebar
Clone this wiki locally