Level 102
It should still be safe. But personally I would not auto append it as you might not want it in every single query that uses the project model. Just append it when you need it
$path->projects->append('can_delete');
1 like
Aug 30, 2022
10
Level 63
Best pratice to access to the authorizations via InertiaJS
Hello,
I have read the documentation for the authorizations.
https://inertiajs.com/authorization
I have tried to do that.
$path->load('level', 'projects.level');
$path->projects->each(function ($project, $key) {
$project->can_delete = auth()->user()->can('delete', $project);
});
return Inertia::render('Paths/Show', compact('path'));
But what about simplifying this and adding an appended property to the model ?
protected $appends = ['can_delete'];
...
public function getCanDeleteAttribute()
{
return auth()->user()->can('delete', $this);
}
Is it a good idea and does it remain secure ?
Thanks for your answer ;).
V
Level 104
It amounts to the same thing really, there will be a can_delete property available on the model instance. But the downside of this approach is you are mixing the HTTP layer with the model logic. You should be able to interact with the model without an authenticated user; but this approach bakes it in.
Personally I prefer Eloquent API resources for this because it represents the Model instance(s) but stays in the HTTP layer of the application.
1 like
Level 63
@tykus Before using InertiaJS, I did this via the API resources and it was great to do so. Now using InertiaJS, I just test and try to find another way to pass the authorizations to the front.
Level 104
@vincent15000 you still need to be very mindful of the data you are sending to the client-side application - and API Resources IMHO the best way to control that data, especially as an alternative to blindly serializing the Model directly, which is sensitive to changes in the database schema, property visibility and appended accessors on the Model - the Resource allows you to define a fixed structure that the client-side application expects
1 like
Level 63
@tykus What is IMHO ?
Level 104
@vincent15000 in my honest opinion
1 like
Level 63
@tykus Ok yes I found the API resources very pratice because I was able to return exactly what I wanted and needed in the front.
I should try to continue using the API resources and send them via InertiaJS rendering.
Level 104
@vincent15000 that's how I am writing my current application 👍
1 like
Level 63
Level 102
@vincent15000 I would pick @tykus as I honestly does the exact same in my inertia app (api resources) :)
1 like
Please or to participate in this conversation.