Nova leverages Laravel policies to authorize incoming requests.
Post
model and a corresponding PostPolicy
within your application.
When manipulating a resource within Nova, Nova will automatically attempt to find a corresponding policy for the model. If Nova detects a policy has been registered for the model, it will automatically check that policy’s relevant authorization methods before performing their respective actions, such as:
viewAny
view
create
update
replicate
delete
restore
forceDelete
Post
model, you simply need to define an update
method on the model’s corresponding policy class:
Policy Action | Default Permission |
---|---|
viewAny | Allowed |
view | Forbidden |
create | Forbidden |
update | Forbidden |
replicate | Fallback to create and update |
delete | Forbidden |
forceDelete | Forbidden |
restore | Forbidden |
add{Model} | Allowed |
attach{Model} | Allowed |
attachAny{Model} | Allowed |
detach{Model} | Allowed |
runAction | Fallback to update |
runDestructiveAction | Fallback to delete |
viewAny
method on the model’s policy class. If no viewAny
method is defined for a given policy, Nova will assume that the user can view the resource:
whenServing
method within your policy. This method allows you to only execute the given callback if the request is a Nova request. An additional callback may be provided that will be executed for non-Nova requests:
Podcast
resources and Comment
resources. If you would like to authorize which users can add comments to a podcast, you should define an addComment
method on your podcast model’s policy class:
add{Model}
policy method naming convention for authorizing relationship actions.
add{Model}
, you should use an attach{Model}
/ detach{Model}
naming convention. For example, imagine a Podcast
model has a many-to-many relationship with the Tag
model. If you would like to authorize which users can attach “tags” to a podcast, you may add an attachTag
method to your podcast policy. In addition, you will likely want to define the inverse attachPodcast
on the tag policy:
attachAny{Model}
method on your policy class. This will prevent the “Attach” button from displaying in the Nova UI entirely:
authorizable
method on the Nova resource:
canSee
method onto your field definition. The canSee
method accepts a closure which should return true
or false
. The closure will receive the incoming HTTP request:
Authorizable
trait’s can
method on our User
model to determine if the authorized user is authorized for the viewProfile
action. However, since proxying to authorization policy methods is a common use-case for canSee
, you may use the canSeeWhen
method to achieve the same behavior. The canSeeWhen
method has the same method signature as the Illuminate\Foundation\Auth\Access\Authorizable
trait’s can
method:
can
method, check out the full Laravel authorization documentation.false
from a policy’s view
method does not stop a given resource from appearing in the resource index. To filter models from the resource index query, you may override the indexQuery
method on the resource’s class.
This method is already defined in your application’s App\Nova\Resource
base class; therefore, you may simply copy and paste the method into a specific resource and then modify the query based on how you would like to filter the resource’s index results:
relatableQuery
method on your resource.
For example, if your application has a Comment
resource that belongs to a Podcast
resource, Nova will allow you to select the parent Podcast
when creating a Comment
. To limit the podcasts that are available in that selection menu, you should override the relatableQuery
method on your Podcast
resource:
Post
resource, in which posts can be tagged, but the Tag
resource is associated with different types of models, you may define a relatableTags
method to customize the relatable query for this relationship:
resource
and resourceId
for the request via the NovaRequest
instance that is passed to your method:
Laravel\Scout\Builder
query instance before it is sent to your search provider. To accomplish this, override the scoutQuery
method on your resource class: