Sign in Get started

This episode is for members only

Sign up to access "Laravel Teams" right now.

Already a member? Sign in to continue

Playing

13. Authorising current team updates

Episodes

0%

Your progress

Total: 4h 36m
Played: 0m
Remaining: 4h 36m

Join or sign in to track your progress

01. Introduction and demo

02. Setup with Pest

03. Building the user teams relations

04. Creating a personal team when registering

05. Leaving all teams when an account is deleted

06. Tracking the current team

07. Showing team details in the UI

08. Switching to another team

09. Authorising team switching

10. Updating a team name

11. Basic roles and permissions setup

12. Team roles and permissions middleware

13. Authorising current team updates

14. Testing team permissions through HTTP requests

15. Leaving a team

16. Displaying team members

17. Making team members look better

18. Removing a team member

19. Preventing self removal from a team

20. Storing invitations

21. Validating invitations

22. Authorising team invitation creation

23. Displaying invitations

24. Revoking invitations

25. Sending an invitation email

26. Accepting an invitation

27. Displaying a modal to change a member’s role

28. Updating a member’s role

29. More authorisation and checks for role changing

30. Fixing up the email sending test details

31. Fixing and validating email addresses for invites

32. Tidying up @can directive checks

33. Detaching roles when removing users

34. Adding an extra layer of protection to the team middleware

35. Getting related models through teams

36. Building a helper to access the current team

37. Getting all related models through all teams

38. Creating new teams

Transcript

00:00

We don't have many permissions set up as part of this team admin,

00:03

but we do have the one, which is whether we can update a team. What we can now do is apply that to what we have built earlier, where we can update our team's name. Let's take a look at how we do this and integrate this with a policy,

00:17

which is the recommended way to work with roles and permissions within Laravel. So remember, we created the team policy earlier with all of the checks in here. What we want to do is rather than litter the rest of our code with specific permissions checks from that package,

00:35

we want to do everything in one place. That means that we just have a single central point where we can check if a user has permission to do something. And we can either use this in blade templates,

00:46

or we can use this within our controllers. So we returned true here earlier, but really the last check of this is that the user can update a team. Now, what this will do is within the current context of the team

01:00

that we're trying to update, it will check if this permission exists on that role that we have as part of that team. So let's go over here and just say Alex's team,

01:11

hit save, and you can see that sure enough, that does update because we know that for a personal team, we are a team admin. Now, just really quickly, I'm going to fix this up because over on the team controller,

01:22

what we're not doing is returning back with that status that we're checking within our blade template. Not really the most important thing, but if we do this over on the edit team form,

01:34

this will then go ahead and check this, and it will show a saved value like that. Not the most important, but we'll add it in. Okay, so we know that we can update this team,

01:46

but what happens if we create our new team without any permissions or without any roles? Well, let's go over and create a new team once again. So we'll just create that code course team out,

01:55

and let's have a look. So let's assign us to that. Let's just check the ID, that's six. So let's assign that to there.

02:03

Let's go and switch over to that team. And now we're in this team. Now, if I hit save, we get a 403 because we don't have a role attached.

02:13

And even if we just did have a team member role attached, we still don't have permission to do this. So that's all working now because over in our team controller,

02:24

we have a team update request, which is using update, which we remember is over on our team policies. So it's now also checking our permissions as well as whether we're actually in that team.

02:37

So now that we've done this, we are good to go. We can't update this team information, but we also want to make sure that we don't show this because if we don't have permission,

02:46

there's no point in even showing this team information. And you could do things like get rid of the save button or blank this out, whatever you want to do, but I'm just going to get rid of this entire thing.

02:57

Okay, let's go over and do that within Blade now because we've got a policy, this makes it incredibly easy. So over in our edit team form, what we can now do, or actually it's probably better to do this directly

03:09

within the team edit. We can just get rid of this entire thing. So let's go and just wrap this in a Blade can and we'll say update,

03:22

and you can even create out a new permission for edit specifically to see an edit value, but we'll just leave it as it is for now. And we'll end the can there, pull that in,

03:32

and that means we don't see that at all. But when we switch over to our team, that middleware kicks in and it allows us to see and of course, update that information.

Episode summary

In this episode, we're diving into how to handle team update permissions in our Laravel app. We've already set up a basic permission on whether a user can update a team, and now it's time to connect this to the real functionality—actually updating a team's name.

We'll review how to centrally manage these permissions using Laravel policies, so our code stays clean and organized. Instead of scattering permission checks everywhere, we put them in one spot—our TeamPolicy—which makes the entire auth process smoother. You'll see how to tie these checks into both Blade templates (for hiding UI bits) and controllers (for secure backend access).

Next, we'll test what happens when we try updating a team as a user without the right role or permissions. As expected, we'll get a 403 error, which means the policy is doing its job!

Finally, to tidy up the user experience, we'll update our Blade templates. If a user can't update a team, we simply won't show the edit form or the save button. It's super easy with the @can directive Laravel provides. By the end of the episode, our update flow is controlled and secure—only authorized users see or can submit edit forms.

It's all about making your app's team management both secure and user-friendly!

Episode discussion

No comments, yet. Be the first!