Proposal: Update Authorization to Allow Checks on Multiple Abilities

[mikebronner]

Right now checking multiple abilities is cumbersome, for example:

if (auth()->check() && auth()->user()->can('edit', $post) || auth()->user()->can('create', $post)) {
    //
}

Would become more succinct using an optional array as the first parameter:

if (auth()->check() && auth()->user()->can(['edit', 'create'], $post)) {
    //
}

or:

@can (['edit', 'create'], $post)
    //
@endcan

The evaluation would default to or (meaning if any of the abilities were truthful, the check would pass. I could see adding an optional attribute in the 3rd $options parameter that would allow setting the check to and.

This would have to work in blade directives and middlewares as well. Admittedly, this is a pretty intrusive change, but would not break backwards compatibility, as the first parameter would either be a string or an array of strings.

Would love to hear your thoughts, recommendations, etc. Thanks!

[BrandonSurowiec]

I like the idea, but I would use different blade directives to indicate AND or Or. I wouldn't tack on a third param. Usually it's a code smell when you're toggling behavior like that and it becomes a bit ambiguous when looking at it. (The params manifest as a true/false value and are hard to understand, even though this case you would prob pass a string.)

I'm not sure that the default should be OR. Maybe it should be AND. Then we can use the blade directives: @can(['edit', 'create']) and @canOr(['edit', 'create'], $post). I would rather default to stricter security instead of less with the @can directive. Thoughts?

[decadence]

Would be better to have canAll (or canEach) and canAny

[mikebronner]

@decadence I like that direction. That way there is no ambiguity as to how permissions are actually resolved. I think that would alleviate @BrandonSurowiec 's concerns as well. This would also make it much simpler to implement, and not require retooling of all the underlying methods.

[BrandonSurowiec]

The every method in functional programming indicates all values are truthy, so maybe @canEvery would be appropriate. I like @decadence's idea.

[mikebronner]

Yea, that sounds good: @canAny and @canEvery. Will start working on a PR today.

[mikebronner]

One thing I don't like about ...checkEvery($abilities... is that every refers to a singular noun, while all refers to a plural noun. It's less fluent to read and requires an extra "brain-cycle" to register, because you trip over it linguistically. As opposed to ...checkAll($abilities.... I do think checkEvery is more explicit in its meaning though. (This is in the gate class, not the blade directive.)

[mikebronner]

PR #19900 didn't make it. Next attempt is in PR #20084 (laravel/framework#20084)