How to authorize actions?

[artworkad]

Hello @lorisleiva 👋

can you shed some light on how to authorize actions?

From a controller or even a livewire component I am used to do:

$this->authorize('viewAny', Note::class);
$this->notes = Note::with('user')->latest()->get();

Using actions:

$this->authorize('viewAny', Note::class);
$this->notes = GetNotes::run();

Refactoring the authorization into the action:

public function handle(array $attributes = []): Collection
{
    Gate::authorize('viewAny', Note::class);

    return Note::with('user')->latest()->get();
}

Are you using a similar approach or are you recommending another way?

[lorisleiva]

Hi there 👋

If you're typically just using an action as a controller, you may simply define the authorisation logic inside the authorization method.

public function authorize(): bool
{
    return Gate::allows('viewAny', Note::class);
}

or if you prefer to be explicit with the user to authorise.

public function authorize(ActionRequest $request): bool
{
    return Gate::forUser($request->user())->allows('viewAny', Note::class);
}

However, if you want this authorisation logic to trigger no matter how you call your actions (e.g. as an object using MyAction::run(...)), then you might want to do what you suggested and use Gate::authorize inside the handle method.

public function handle()
{
    Gate::authorize('viewAny', Note::class);

    // ...
}

I hope this helps. 🙂

[robsontenorio]

Hi,

I am comming from v1.

What would be is the best practice about get logged user on v2?

Typically on v1 handle() i had access to $this->user(). How to deal with it on v2?

v1

public function handle(){

     $var = Tournament::isManagedBy($this->user()));
     // more logic using $var
}

[Wulfheart]

auth()->user?