We need to rethink the permissions system

[kirkbushell]

A fairly common requirement of any publishing platform is to have contributors or other authors that only have access to the content they're creating. In this sense, one might thing of permissions of these resources as perhaps being able to manage my own, vs everyone else's contributions.

Unfortunately, even when defining my own gates, it is impossible to make this separation - namely because the same permissions checks (list, for example) are used for both listing all articles, and showing articles. But also because the various buttons and actions are deeply connected to the permissions system. If anyone has a recommendation how to get around this, I'd love to hear it.

I would like to suggest that this system be re-thought taking into account a less narrow requirement of permissions, that can be managed at a user/group level, with each registered resource having its own set of permissions (along with some defaults, such as users).

I would be happy to contribute to this, we could start it at the user level and work up to groups later? It is absolutely necessary for my project (rathetimes.com) to have this sort of feature. Currently it's a big roadblock in being able to organically grow my contributors and authors.

[ifox]

Hi Kirk,

I will need to take more time to answer at length about this and talk more about what @antonioribeiro is referring to in another thread, but I don't think what you're looking for is impossible currently. I can share a complete implementation example later this week but for now this repository trait that's part of it might help you:

<?php

namespace App\Repositories\Behaviors;

trait HandleRestrictedAccess
{
    public function filterHandleRestrictedAccess(&$query, array &$scopes = [])
    {
        if (isset($scopes['mine-only']) && $scopes['mine-only']) {
            $query->where(function ($q) {
                $q->hasUserAsAuthorizedContributor();
            })->orWhere(function ($q) {
                if (classHasTrait($this, 'A17\Twill\Repositories\Behaviors\HandleRevisions')) {
                    $q->wasCreatedByUser();
                }
            });
        }

        if (isset($scopes['drafts-only']) && $scopes['drafts-only']) {
            $query->draft();
        }

        unset($scopes['mine-only']);
        unset($scopes['drafts-only']);
    }

    public function afterSaveHandleRestrictedAccess($object, $fields)
    {
        $this->updateRelatedBrowser($object, $fields, 'users');
    }

    public function getFormFieldsHandleRestrictedAccess($object, $fields)
    {
        $fields['browsers']['users'] = $this->getFormFieldsForRelatedBrowser($object, 'users');

        return $fields;
    }
}

[kirkbushell]

I need a little bit of information regarding how exactly this works once added, if you wouldn't mind :)

[ifox]

For sure, I will share a repo with the whole setup.