Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

paewebservices's avatar

Nova + field-level permissions

I would like to allow a particular user role to be able to update specific fields on a model, not the entire model; but also to have another admin role to be able to update all the fields on the model.

What's the best way to do this in Nova? Thanks in advance-

0 likes
5 replies
paewebservices's avatar

@D9705996 - Thanks. Is it possible to allow certain user roles to view a field but not update it, while allowing another admin role to update it? The documentation and the nova lesson isn't so clear on that scenario.

D9705996's avatar

I think you can use policies for this

https://nova.laravel.com/docs/1.0/resources/authorization.html#policies

so you could do something like if you are protecting a Post Model

    public function view(User $user, Post $post)
    {
    return in_array('view-posts', $user->permissions);
    }

    public function update(User $user, Post $post)
    {
    return in_array('update-posts', $user->permissions);
    }

You would then need to amend the policy logic to fit your application (Above Im assuming you have a many-to-many relationship between user and permissions but feel free to amend as you need.

Just remember that the policies live and are registered in your Application and not Nova. You might want to consider using Spatie's Permission package (or similar) for your roles, permission, etc

paewebservices's avatar

@D9705996 - Thanks again. I got the gist of "view-posts" and "update-posts" permission logic within the Post policy class. However, I need to go one step further.

Basically, I need a permission where a user can view all fields of a model but only be able update a single field of the same model.

So sticking with the Posts example, I need an Admin to be able to view and edit a Post's title and body. But also have an Editor role to be able to view both the title and body, but only be able to update the body.

This seems like a common scenario but I haven't found a workable solution.

1 like
ha@knopsmedia's avatar

You can use ->canSee() method on the nova field based on user's role or permissions

Please or to participate in this conversation.