Sign in Get started

This episode is for members only

Sign up to access "Laravel Teams" right now.

Already a member? Sign in to continue

Playing

32. Tidying up @can directive checks

Episodes

0%

Your progress

Total: 4h 36m
Played: 0m
Remaining: 4h 36m

Join or sign in to track your progress

01. Introduction and demo

02. Setup with Pest

03. Building the user teams relations

04. Creating a personal team when registering

05. Leaving all teams when an account is deleted

06. Tracking the current team

07. Showing team details in the UI

08. Switching to another team

09. Authorising team switching

10. Updating a team name

11. Basic roles and permissions setup

12. Team roles and permissions middleware

13. Authorising current team updates

14. Testing team permissions through HTTP requests

15. Leaving a team

16. Displaying team members

17. Making team members look better

18. Removing a team member

19. Preventing self removal from a team

20. Storing invitations

21. Validating invitations

22. Authorising team invitation creation

23. Displaying invitations

24. Revoking invitations

25. Sending an invitation email

26. Accepting an invitation

27. Displaying a modal to change a member’s role

28. Updating a member’s role

29. More authorisation and checks for role changing

30. Fixing up the email sending test details

31. Fixing and validating email addresses for invites

32. Tidying up @can directive checks

33. Detaching roles when removing users

34. Adding an extra layer of protection to the team middleware

35. Getting related models through teams

36. Building a helper to access the current team

37. Getting all related models through all teams

38. Creating new teams

Transcript

00:00

Something else that we need to be careful in, particularly when we're dealing with roles and permissions,

00:04

is wherever we're using the can directive within our blade templates, we want to make sure we're referencing the policy. Remember the policy is the single source of truth

00:14

as to whether something can happen or not. So we don't want to reference individual permissions anywhere in our app. We want to keep these directly within the policy.

00:24

Just a refresher, if we go over to any of our policies, we know that we're using the permissions directly within here, but we're basing some other checks around this as well,

00:33

just in case. Now, what we've actually done throughout this system is if we just search for can, some places I've gone ahead and used

00:42

the permission directly, and that's not what we want to do. So let's go ahead and just change some of these around. So we've got this first one, can invite to team.

00:51

If we head over to Mabel's account, we know that she is just a team member, so she shouldn't be able to invite to a team. So we can just use the UI to make sure

00:59

that this is all good. Okay, if we go back over to our team policy, let's search for that invite to team. And yeah, that's just invite to team.

01:08

So let's go back over and we will update this here. And let's go ahead and look for that elsewhere to see if we've used it and just here as well on the team members for the other part of this.

01:19

So let's say invite to team. Now we know that as part of this, we need to pass in the user and the team or just the team. So let's go ahead and pass the team into here

01:26

and let's look for invite to team here and make sure we pass that team in as well. Okay, so if we head over to the UI, we shouldn't see any difference here

01:34

because we're pretty much doing the same thing in the policy, but now we've switched that over. It's a little bit more reliable. When we add anything to the policy, this should now work.

01:42

You can see this works for Alex's account as well. Now we also have, if we just have a look under can, we've got the view team member section. So if we open up our team policy and we have a look here,

01:56

we don't actually have a view team members method. So in this case, what we would do is just go ahead and create one out anyway. So view team members,

02:07

even though we're just going to check the permission in here it's good practice to do this anyway. So let's go ahead and pass in the user. Now we don't need the team in here,

02:17

but if we had any other checks around the specific team that we could view, then we could use that. Remember that the permissions checks are always in the context of that ID

02:27

for the team that's been set in the middleware. So in here, all we really need to do is just say user can, and let's just remind ourselves of that view team members. So let's say view team members,

02:40

and we can just switch this over now. So we can take the view team members just here, and we can go ahead and pop that directly over to here. And pass that team directly over.

02:53

So we know that everyone can view team members, but we don't see much difference here. Of course, if this user didn't have a role or they didn't have the correct permission,

03:01

we wouldn't see it. But now we've successfully switched over all of the cans to use the method specifically inside of our policy. And we're not directly checking permissions.

03:14

And this is going to help us going forward because it means any updates we make to our policy will be reflected in both form submissions and within our templates as well.

Episode summary

In this episode, we’re focusing on cleaning up how we check user permissions in our Blade templates using the @can directive. The main idea here is that we want to make sure all our permission checks go through our policies instead of directly referencing specific permissions. This keeps things more organized, centralized, and easier to update in the future.

We start by searching through our codebase for places where we've used the @can directive and notice that in some spots, we’re checking permission strings directly (like can:invite to team). That’s not ideal, so we update these to reference policy methods (like can:inviteToTeam, $team).

Along the way, we spot situations where a policy method doesn’t exist yet (like viewTeamMembers), so we take a moment to add those to our policy classes, even if all they do is check a permission for now. This way, if our permission logic ever needs to change, we only have to update the policy.

After switching everything over and testing it out in the UI, we confirm that the functionality stays the same, but now our permission system is much more maintainable. Any future tweaks to authorization will be reflected everywhere automatically, keeping our code consistent and reliable!

Episode discussion

No comments, yet. Be the first!