-
Notifications
You must be signed in to change notification settings - Fork 3
User Permissions
Zane Hooper edited this page Apr 5, 2017
·
4 revisions
The App\Auth\Permission\PermissionService class checks the user permissions (admins and integrations are the only users that have permissions).
if (!$this->permission->has('system.integrations.read')) {
abort(403, 'You do not have access to Integrations');
}
// User must have permission to both read and write.
if (!$this->permission->has(['system.integrations.read', 'system.integrations.write'])) {
}
// User must have permission to both read and (write or other).
if (!$this->permission->has(['system.integrations.read', 'system.integrations.write|system.integrations.other'])) {
}The App\Api\ApiAuthService has useful methods for determining the currently authenticated user.
$this->auth->only([
'admin',
'integration',
]);Will throw a 401 error if the user is not an Admin or Integration (e.g. client, install, no authentication).
You can use a callback based on the user type to check permissions, filter viewable results, etc.
$checkPerms = function () {
if (!$this->permission->has('system.integrations.read')) {
abort(403, 'You do not have access to Integrations');
}
};
$this->auth->only([
'admin' => $checkPerms,
'integration' => $checkPerms,
'client' => function ($clientId) {
// Only run if the authenticated user is a Client.
// The Client's ID is stored in $clientId.
},
'none' => function () {
// Only run if the user is unauthenticated.
},
]);The closure callback is optional and you can combine with and without callback in the same call:
$this->auth->only([
'admin', // admins have access and no callback is run
'integration' => $checkPerms, // integrations have access, $checkPerms is run
// Other users (clients, installs, unauthenticated users) do not have access (401 thrown).
]);