Admin models and relationships

Hi,

i have an admin model which I use to login to my site. I have 6 different types of administrator and their roles/permissions are managed by spatie/permission.

They all run from the same "admin" model and now, I need to give different relationships to my admins towards other models.

For example, my "super admin" does not need any relationship to my "client" model but my "client admin" needs a one-to-one relationship to my "client" model and my "advisor" also needs a one-to-one relationship to my "client" model, plus a one-to-many relationships with my "institution" model

I am thinking creating "client admin", "advisor" models which would extend my "admin" model

I would still be able to login using the "admin" model.

I am not sure how I go from there because If I log in with an "advisor" user and use

Auth::guard('admin')->user()->

it will point to the "admin" model because this is what I use to run the login check using laravel/UI.

What''s the best way to access the function of the extended class?

jlrdw

5 years ago

Best Answer

Level 75

To me, it would be easier just to have your methods authorized as to who can and can not do something.

In one system I have this logic:


    * Bob is an admin

    * Suzy is admin and does bookkeeping

    * Mary is a bookkeeper only

If Bob is logged in, Bob can only do admin stuff and all access to user stuff. But Bob cannot mess with bookkeeping.

If Suzy is logged in she can access admin stuff and bookkeeping and accounting stuff.

If Mary is logged in she cannot mess with admin stuff, but has access to bookkeeping and accounting stuff.

So in pseudocode:

public function makeInvoice()
    {
        if (a required role of bkeep is not true here) {   // bkeep = bookkeeper
            return redirect('somewhere'); // whereever you redirect to if not authorized
        }
        // Rest of method here is accomplished if 
        // the logged in user has the required role of 'bkeep'.
    }

But just suggestion and the way I like protecting methods.

A tip don't worry about the role, if super admin, boss, owner, janitor, it makes no difference.

What matters is:

Can the current logged in user role have access to this method, it's (yes or no).

There are ways to be secure yet stay simple.

Also note:

The ui will probably be removed in future versions, best if you start using the newer jetstream / fortify now, just suggestion.

Otherwise will be harder migrating such a complex auth over. That's why I like keeping it simple.

FREDERIC LD

5 years ago

Level 4

@jlrdw okay. I think I understand what you are saying. Had to read it 10 times though....

In principles, you say create the relationship function but filter users who can access it.

public function client()
    {
        if (\Auth::guard('admin')->user()->hasAnyRole('super admin', 'client admin', 'advisor') )
        {             
            return $this->hasOne(App\Models\Client::class);
        }
    }

and in the migration I suppose I can the client_id foreign key set to ALLOW NULL

That means all my admins will have relationships to other tables but only few of them will make use the relatoinships. Is that right?

jlrdw

5 years ago

Level 75

I am saying basically make a method and a role have to match.

In a case where an admin can see everything but a user can only see their data that's where I use a query scope.

In the scope the user part is not included if admin otherwise the user part of the query is included.

So a combination of authorization and query scopes is used.

To bypass having to use scopes, separate admin and user methods would be required.

Small systems I like Scopes, larger separate methods.

FREDERIC LD

5 years ago

Level 4

@jlrdw Understood! Thanks

Please or to participate in this conversation.