-
Notifications
You must be signed in to change notification settings - Fork 335
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using forbid method with global user role #593
Comments
You're not doing anything wrong. Roles are simply a shortcut for providing permissions to a given user. So for all roles that they have, if any of them forbids an ability, it will always be forbidden. In your scenario, it sounds like the |
In my scenario, I have a lot of abilities attached to So, if I use |
You other option would be to have a special role for the restrictions, and assign that to all users who are only |
In my case, it will be like 10-20 special restrictive roles. And I need to assign that role to every user (with exception to some user with roles I don't want to be restricted) when I create a new big model or section in app. I think about it from the other side — create for each section a separate "user" role, like Maybe it's okay to regularly update each user and change their roles, I don't know. |
Bouncer lets you grant abilities to everyone, without using any roles: Bouncer::allowEveryone()->to('view', Document::class); I see now that it's not documented. Gotta fix that. So in your case, you could add all general abilities to everyone, and only add the restrictions to the Bouncer::allowEveryone()->to('view', Document::class);
Bouncer::forbid('user')->to('view', $classifiedDocument); ...and then don't assign the |
I have a pretty simple idea, but I never quite got it right. I have read all the documentation and searched issues.
There is a list of Documents.
There is a global User role, every user has it when they registered.
There is a Document Editor role, some users have it.
Some documents need to be forbidden for normal users, but still visible for Editors
The problem is that the Document Editor also lost access to those documents, because he has User role too. And we can't take away his User role, because with this role he gets access to other parts of the application.
I think about separate global roles, like Document User, which must be unassigned for Editors. Or about role levels, which was removed from this package. But none of them is a perfect solution.
What am I doing wrong, maybe there are some simple solution?
The text was updated successfully, but these errors were encountered: