Intro to Authorization 0:00When we think of admin dashboards, we always have to think about authorization. Some users are always able to do some more things than other users and have more access rights. So in our case, maybe only specific users are able to delete posts, maybe only the administrator. Or maybe the user that created the post is only able to edit their own posts, so that I cannot edit posts that some other users created. Adding authorization in Laravel Nova is really easy. So let's take a look at how it works. Nova makes use of Laravel's policy features. So to create a new policy that we can use for our model, we can use the CLI command Creating a Policy 0:41Nova makes use of Laravel's policy features. So to create a new policy that we can use for our model, we can use the CLI command that ships with Laravel. So we can say phpArtisan make policy, and then give it the name. So we want a post policy. And with dash m, we can define for which model this policy will be. So we want this to be for the post model. All right, so we created the new policy. Let's take a look. We now have this policies folder, and in there, there's the post policy file.Let's take a look. We now have this policies folder, and in there, there's the post policy file. And since we defined the model, we now already have the model listed here, and we have this boilerplate of all the available functions. So here we can define whether a specific user can view the post, whether the user can create a new post, whether a user can update an existing post, whether a user can delete an existing post, and if you have soft deletes in place, whether a user can restore soft deleted posts and force delete the posts. Okay, now we still need to apply this policy in our application. To do this, we can head over to our providers folder, and there's the auth service provider. Registering the Policy 2:01Okay, now we still need to apply this policy in our application. To do this, we can head over to our providers folder, and there's the auth service provider. And in there, we have this policies array, which maps which model will use which policy class. So for us, we want the app post model to use the app policies post policy. And as you can see, this has nothing really to do with Nova resources, because the access rights all happen based on the model and not based on the Nova resource. So with that in place, if we go back to our Nova application and refresh, watch what happens. We suddenly can no longer create new posts, and we're unable to view existing posts and take a look at the details, edit them or delete them. Controlling CRUD Access 2:51We suddenly can no longer create new posts, and we're unable to view existing posts and take a look at the details, edit them or delete them. So now Nova now automatically makes use of our policy class. So if we go into our policy, and say, view and return true, suddenly all of the posts are viewable again, and we can take a look at the details. The same can be applied if you want to fine grained this. So maybe you only want to be able to view posts unless it's ID four. So you can say return post ID is not equal to four. And then we can view all of these posts, well, except for the ID four. But just return true now.And then we can view all of these posts, well, except for the ID four. But just return true now. So we can do the same thing with create. If we return true here, and go back to Nova, refresh, we can see the create post button. We can change the way if users are able to update our model. So return true, refresh, and now we have this edit icon here. And last but not least, the same thing for delete. And now our users can delete. So basically, we have now restored our old behavior. And if I want to manipulate this, I could do something like, delete is only available Hiding Resources with ViewAny 4:26So basically, we have now restored our old behavior. And if I want to manipulate this, I could do something like, delete is only available if the user is an administrator, for example. Okay, and there is an additional policy method that you can add, where you can choose if a user can see any of these resources or models at all. So even if every of these methods return false, the user is still able to see that we have posts in our system. And he can go to the listing and see all of them, even though if you can't create, edit or delete them. So to change this, you can go to your policy file and add a new method and call it viewor delete them. So to change this, you can go to your policy file and add a new method and call it view any. And this view any method gets the user as a parameter. And in here, you can basically just define if this specific user can view any of these models. So if we return false here, go to the dashboard and refresh, suddenly, we no longer see our post resource. So this way, you can control if users do not have access to this resource at all. So with the policies, you can define and turn on or off specific features in Nova itself. Field Visibility and Index Scoping 5:42So this way, you can control if users do not have access to this resource at all. So with the policies, you can define and turn on or off specific features in Nova itself. But sometimes you might need more control over what your users are able to see. And Nova provides this on a field level as well. So let's switch this back to true so that we can see our post resources. But maybe only specific users are able to set the is published field on our posts. And all the other users, well, they should not see this at all. So if we go to our post resource, and go to the is published field, we can just define who can see this field, and who can't. So you can add a new method and call it can see this method receives the current requestwho can see this field, and who can't. So you can add a new method and call it can see this method receives the current request object. And in there, you can do something like return request user, and then you could use Laravel's authorization feature and do something like can publish post and give it the current post. So if we return false in here, and refresh in Nova, we no longer see this specific field in the listing, we don't see it in the detail page. And if we create a new post, we're also unable to choose and select this field. So using this, you can define which fields will be visible for which user you want. So as I said, maybe you only want to list posts for the user that is currently loggedSo using this, you can define which fields will be visible for which user you want. So as I said, maybe you only want to list posts for the user that is currently logged in so that I don't see posts that someone else created at all. So let's try this out. First, we will need a new user. So let's create a new user here. Let's just use Taylor because I have him and the autofill and create it. Now let's create a new post that or change the existing post and just say, okay, this belongs to Taylor, the title will be Taylor's post and update it. Okay, so now if we go to the listing, we still see all of the posts.belongs to Taylor, the title will be Taylor's post and update it. Okay, so now if we go to the listing, we still see all of the posts. But now I want to filter this so that the currently logged in user can only see their own posts. To do this, we can define an index query that will be used to build this index page. So if we go to our post resource, we can add a new method here for the index query. And you can take this method from the base resource class that we have here. So just copy it to our post resource. So we got the Nova request, and we have a query builder. So now we can say query where user ID is equal to the request user ID.So we got the Nova request, and we have a query builder. So now we can say query where user ID is equal to the request user ID. And now if I go back to Nova, I no longer see Taylor's post. And that's because it is no longer scoped in my specific index query. So just like this, you can modify not only which of the functionality of your resources is available for which user, you can specify which fields the specific user is able to see. And you can also modify the query that is being used to build the index page.
