Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

laracoft's avatar

Resource's indexQuery() and Policy's view()

In Nova, if we filter out certain records using indexQuery(), they can still be viewed by manually forming the URL. My expectation is that it cannot be viewed, updated or deleted.

Has anyone found an elegant way to make this possible without repeating indexQuery()'s logic?

0 likes
4 replies
bugsysha's avatar

Repeating indexQuery() logic? I never had that issue. Maybe I don't fully understand. Can you provide more info?

laracoft's avatar

Let's say i'm an account manager in a bank. The bank only allows me to see customers that belongTo me. To achieve this filtering in resource index, we must use indexQuery.

Let's say there are 10 customers: 2, 4, 6, 8, 10 belongs to me, so I can view, edit and delete them. Using the resource's indexQuery where account_manager_id = me, I can also only see them in the resource index, no other customers. All good.

However, I can still type /nova/resources/customers/1 and view customer #1, even if they don't belongTo me, as viewing is controlled by a CustomerPolicy's view returning either true or false. In order to prevent viewing/editing, I must repeat the filtering logic from indexQuery inside view in order to return false for 1, 3, 5, 7, 9 and return true for 2, 4, 6, 8, 10.

Can follow?

bugsysha's avatar

@laracoft in policy methods when you want to view some resource, you get access to that resource as well as the user who is requesting. Then all you need to do is $customer->account_manager_id === $user->getKey(). Or if you want to be more on the OOP side, $customer->account_manager->is($user).

I don't see the need to repeat what you are saying. But maybe I'm still not following :D

laracoft's avatar

@bugsysha

Yea, so in IndexQuery, we need to write $query->where("account_manager_id", $user->id), which to me is repeating policy view's $customer->account_manager->is($user). The code may be slightly different, but the logic is the same.

The issue comes when I want to introduce more complex logic, e.g. Account Managers reports to the Account Director and Account Director wants to see all the customers that belong to all his account managers.

I have to write the same logic in both indexQuery and view in slightly different code. This is the issue that I'm trying to find a better way.

Please or to participate in this conversation.