Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

hey@bryson.cc's avatar

Ways to Determine Both Role and if CurrentTeam is Model Team

I was wondering, is there a simpler way to check if a user is performing an action on a model with correct permissions, while also checking they are performing actions on behalf of the current team?

For instance, I have a Team->Note relationship set up, so if I only want admins to edit Notes, my controller method looks like:

public function edit(Note $note) {
    if (Auth::user()->currentTeam->is($note->team) && Auth::user()->isTeamAdmin($note->team)) {
        // do work
    }
    else {
        // redirect back with error
    }
}

Now, at first glance it works and isn't bad, but that's a fairly long if statement to include in every admin method, especially if the number of Model subchildren grow (think if Note had a tree of children below it).

0 likes
7 replies
hey@bryson.cc's avatar

Note, I'm using Route Model Bindings to a pass an inferred model from the URI to the Controller.

It's worth noting to combat this, I've made sure every model that I utilize returns a "team" object and then have a middleware that attempts to parse the model from the URI and check permissions like so:

public function handle($request, Closure $next)
    {
        $route = $request->route();
        $model = $route->parameters[$route->parameterNames[0]];

        if (!(Auth::user()->isTeamAdmin($model->team)) && Auth::user()->currentTeam->is($model->team)) {
            Alert::message('Whoops!', 'You don\'t seem to have permission to do that.', 'error', ['toast' => true, 'position' => 'bottom', 'timer' => 3000, 'showConfirmButton' => false]);
            return Redirect::back();
        }

        return $next($request);
    }

However this convoluted workaround is hard to maintain and requires me to define a "team" attribute for every route model binding that may get ran through the middleware.

Cronix's avatar
Cronix
7 years ago
Best Answer
Level 67

You can always create a helper method on the User model that returns the result of that. Or make a trait, and use the trait in the affected models, or use gates/policies, or a combination of these.

1 like
hey@bryson.cc's avatar

@Cronix That's something I had considered, but it still doesn't solve the "middleware" issue. I could always remove the middleware and interact with the Model directly like you said, but it becomes tedious to have to include a wrapping if statement on every single Controller method.

Cronix's avatar

I'm not sure why you need it on the models if you are denying access via middleware, and using the middleware on the team routes? Doesn't it basically accomplish the same thing? If the middleware denies them, then they'd never make it to the controller?

hey@bryson.cc's avatar

It does, but the middleware example I gave requires that I have a Team model associated with any other Model that may get encountered. This is less than ideal, and seems to be a very convoluted way of accomplishing the same task.

Please or to participate in this conversation.