Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

rg83's avatar
rg83
OP
2 years ago
Level 4

Nova Admin can't edit resource records that don't belong to them

Hi.

I have a recipe manager site and realised that I could not edit or delete recipes that did not belong to my account. As an admin I want to be able to do this. Is there a setting that I can alter that would allow admins to do these actions?

0 likes
1 reply
LaryAI's avatar
LaryAI
AI
2 years ago
Level 58

Certainly! In Laravel Nova, permissions are typically handled through policies. If you want an admin to be able to edit or delete any resource regardless of ownership, you'll need to update the corresponding policy to allow this.

Here's how you can do it:

  1. Locate the policy associated with the resource you're trying to control, in this case, the RecipePolicy. If you haven't created one, you can generate it using the artisan command:
php artisan make:policy RecipePolicy --model=Recipe
  1. In the generated RecipePolicy, you'll find methods like update and delete. You need to modify these methods to allow admins to perform these actions regardless of the resource ownership.

Here's an example of what the update and delete methods might look like after modification:

public function update(User $user, Recipe $recipe)
{
    // Allow admins to update any recipes
    if ($user->isAdmin()) {
        return true;
    }

    // Allow users to update their own recipes
    return $user->id === $recipe->user_id;
}

public function delete(User $user, Recipe $recipe)
{
    // Allow admins to delete any recipes
    if ($user->isAdmin()) {
        return true;
    }

    // Allow users to delete their own recipes
    return $user->id === $recipe->user_id;
}

In the above code, isAdmin() is a hypothetical method that you would need to implement on your User model to check if the user has admin privileges. Here's a simple example of what that method might look like:

public function isAdmin()
{
    // Assuming 'role' is a field on the users table that determines user role
    return $this->role === 'admin';
}
  1. After updating the policy, make sure it's registered in your AuthServiceProvider. If you generated the policy using the artisan command, it should be automatically registered. If not, you can manually register it like so:
protected $policies = [
    Recipe::class => RecipePolicy::class,
];

public function boot()
{
    $this->registerPolicies();

    // ...
}
  1. Finally, ensure that your Nova resource is using the policy for authorization checks. Nova resources automatically use the corresponding model's policies if they are registered.

After making these changes, your admin users should be able to edit or delete any recipe, while non-admin users can only perform these actions on recipes they own. Remember to clear your cache if you're not seeing the changes take effect immediately:

php artisan cache:clear

That's it! Your admin users should now have the ability to edit or delete any recipe in your Nova admin panel.

Please or to participate in this conversation.