php-admin/docs/authorization.md

# Authorization

Integration with Laravel's Gate and Policy system for fine-grained authorization in admin panels.

## Form Component Authorization

All form components support authorization props:

```blade
<x-admin::button
    :can="'publish'"
    :cannot="'delete'"
    :canAny="['edit', 'update']"
>
    Publish Post
</x-admin::button>
```

### Authorization Props

**`can` - Single ability:**

```blade
<x-admin::button :can="'delete'" :model="$post">
    Delete
</x-admin::button>

{{-- Only shown if user can delete the post --}}
```

**`cannot` - Inverse check:**

```blade
<x-admin::input
    name="status"
    :cannot="'publish'"
    :model="$post"
/>

{{-- Disabled if user cannot publish --}}
```

**`canAny` - Multiple abilities (OR):**

```blade
<x-admin::button :canAny="['edit', 'update']" :model="$post">
    Edit Post
</x-admin::button>

{{-- Shown if user can either edit OR update --}}
```

## Policy Integration

### Defining Policies

```php
<?php

namespace Mod\Blog\Policies;

use Mod\Tenant\Models\User;
use Mod\Blog\Models\Post;

class PostPolicy
{
    public function view(User $user, Post $post): bool
    {
        return $user->workspace_id === $post->workspace_id;
    }

    public function create(User $user): bool
    {
        return $user->hasPermission('posts.create');
    }

    public function update(User $user, Post $post): bool
    {
        return $user->id === $post->author_id
            || $user->hasRole('editor');
    }

    public function delete(User $user, Post $post): bool
    {
        return $user->hasRole('admin')
            && $user->workspace_id === $post->workspace_id;
    }

    public function publish(User $user, Post $post): bool
    {
        return $user->hasPermission('posts.publish')
            && $post->status !== 'archived';
    }
}
```

### Registering Policies

```php
use Illuminate\Support\Facades\Gate;
use Mod\Blog\Models\Post;
use Mod\Blog\Policies\PostPolicy;

// In AuthServiceProvider or module Boot class
Gate::policy(Post::class, PostPolicy::class);
```

## Action Gate

Use the Action Gate system for route-level authorization:

### Defining Actions

```php
<?php

namespace Mod\Blog\Controllers;

use Core\Bouncer\Gate\Attributes\Action;

class PostController
{
    #[Action(
        name: 'posts.create',
        description: 'Create new blog posts',
        group: 'Content Management'
    )]
    public function store(Request $request)
    {
        // Only accessible to users with 'posts.create' permission
    }

    #[Action(
        name: 'posts.publish',
        description: 'Publish blog posts',
        group: 'Content Management',
        dangerous: true
    )]
    public function publish(Post $post)
    {
        // Marked as dangerous action
    }
}
```

### Route Protection

```php
use Core\Bouncer\Gate\ActionGateMiddleware;

// Protect single route
Route::post('/posts', [PostController::class, 'store'])
    ->middleware(['auth', ActionGateMiddleware::class]);

// Protect route group
Route::middleware(['auth', ActionGateMiddleware::class])
    ->group(function () {
        Route::post('/posts', [PostController::class, 'store']);
        Route::post('/posts/{post}/publish', [PostController::class, 'publish']);
    });
```

### Checking Permissions

```php
use Core\Bouncer\Gate\ActionGateService;

$gate = app(ActionGateService::class);

// Check if user can perform action
if ($gate->allows('posts.create', auth()->user())) {
    // User has permission
}

// Check with additional context
if ($gate->allows('posts.publish', auth()->user(), $post)) {
    // User can publish this specific post
}

// Get all user permissions
$permissions = $gate->getUserPermissions(auth()->user());
```

## Admin Menu Authorization

Restrict menu items by permission:

```php
use Core\Front\Admin\Support\MenuItemBuilder;

MenuItemBuilder::create('Posts')
    ->route('admin.posts.index')
    ->icon('heroicon-o-document-text')
    ->can('posts.view') // Only shown if user can view posts
    ->badge(fn () => Post::pending()->count())
    ->children([
        MenuItemBuilder::create('All Posts')
            ->route('admin.posts.index'),

        MenuItemBuilder::create('Create Post')
            ->route('admin.posts.create')
            ->can('posts.create'), // Nested permission check

        MenuItemBuilder::create('Categories')
            ->route('admin.categories.index')
            ->canAny(['categories.view', 'categories.edit']),
    ]);
```

## Livewire Modal Authorization

Protect Livewire modals with authorization checks:

```php
<?php

namespace Mod\Blog\View\Modal\Admin;

use Livewire\Component;
use Illuminate\Foundation\Auth\Access\AuthorizesRequests;

class PostEditor extends Component
{
    use AuthorizesRequests;

    public Post $post;

    public function mount(Post $post)
    {
        // Authorize on mount
        $this->authorize('update', $post);

        $this->post = $post;
    }

    public function save()
    {
        // Authorize action
        $this->authorize('update', $this->post);

        $this->post->save();

        $this->dispatch('post-updated');
    }

    public function publish()
    {
        // Custom authorization
        $this->authorize('publish', $this->post);

        $this->post->update(['status' => 'published']);
    }
}
```

## Workspace Scoping

Automatic workspace isolation with policies:

```php
class PostPolicy
{
    public function viewAny(User $user): bool
    {
        // User can view posts in their workspace
        return true;
    }

    public function view(User $user, Post $post): bool
    {
        // Enforce workspace boundary
        return $user->workspace_id === $post->workspace_id;
    }

    public function update(User $user, Post $post): bool
    {
        // Workspace check + additional authorization
        return $user->workspace_id === $post->workspace_id
            && ($user->id === $post->author_id || $user->hasRole('editor'));
    }
}
```

## Role-Based Authorization

### Defining Roles

```php
use Mod\Tenant\Models\User;

// Assign role
$user->assignRole('editor');

// Check role
if ($user->hasRole('admin')) {
    // User is admin
}

// Check any role
if ($user->hasAnyRole(['editor', 'author'])) {
    // User has at least one role
}

// Check all roles
if ($user->hasAllRoles(['editor', 'reviewer'])) {
    // User has both roles
}
```

### Policy with Roles

```php
class PostPolicy
{
    public function update(User $user, Post $post): bool
    {
        return $user->hasRole('admin')
            || ($user->hasRole('editor') && $user->workspace_id === $post->workspace_id)
            || ($user->hasRole('author') && $user->id === $post->author_id);
    }

    public function delete(User $user, Post $post): bool
    {
        // Only admins can delete
        return $user->hasRole('admin');
    }
}
```

## Permission-Based Authorization

### Defining Permissions

```php
// Grant permission
$user->givePermission('posts.create');
$user->givePermission('posts.publish');

// Check permission
if ($user->hasPermission('posts.publish')) {
    // User can publish
}

// Check multiple permissions
if ($user->hasAllPermissions(['posts.create', 'posts.publish'])) {
    // User has all permissions
}

// Check any permission
if ($user->hasAnyPermission(['posts.edit', 'posts.delete'])) {
    // User has at least one permission
}
```

### Policy with Permissions

```php
class PostPolicy
{
    public function create(User $user): bool
    {
        return $user->hasPermission('posts.create');
    }

    public function publish(User $user, Post $post): bool
    {
        return $user->hasPermission('posts.publish')
            && $post->status === 'draft';
    }
}
```

## Conditional Rendering

### Blade Directives

```blade
@can('create', App\Models\Post::class)
    <a href="{{ route('posts.create') }}">Create Post</a>
@endcan

@cannot('delete', $post)
    <p>You cannot delete this post</p>
@endcannot

@canany(['edit', 'update'], $post)
    <a href="{{ route('posts.edit', $post) }}">Edit</a>
@endcanany
```

### Component Visibility

```blade
<x-admin::button
    :can="'publish'"
    :model="$post"
    wire:click="publish"
>
    Publish
</x-admin::button>

{{-- Automatically hidden if user cannot publish --}}
```

### Form Field Disabling

```blade
<x-admin::input
    name="slug"
    :cannot="'edit-slug'"
    :model="$post"
/>

{{-- Disabled if user cannot edit slug --}}
```

## Authorization Middleware

### Global Middleware

```php
// app/Http/Kernel.php
protected $middlewareGroups = [
    'web' => [
        // ...
        \Core\Bouncer\Gate\ActionGateMiddleware::class,
    ],
];
```

### Route Middleware

```php
// Require authentication
Route::middleware(['auth'])->group(function () {
    Route::get('/admin', [AdminController::class, 'index']);
});

// Require specific ability
Route::middleware(['can:create,App\Models\Post'])->group(function () {
    Route::get('/posts/create', [PostController::class, 'create']);
});
```

## Testing Authorization

```php
use Tests\TestCase;
use Mod\Blog\Models\Post;
use Mod\Tenant\Models\User;

class AuthorizationTest extends TestCase
{
    public function test_user_can_view_own_posts(): void
    {
        $user = User::factory()->create();
        $post = Post::factory()->create(['author_id' => $user->id]);

        $this->assertTrue($user->can('view', $post));
    }

    public function test_user_cannot_delete_others_posts(): void
    {
        $user = User::factory()->create();
        $post = Post::factory()->create(); // Different author

        $this->assertFalse($user->can('delete', $post));
    }

    public function test_admin_can_delete_any_post(): void
    {
        $admin = User::factory()->create();
        $admin->assignRole('admin');

        $post = Post::factory()->create();

        $this->assertTrue($admin->can('delete', $post));
    }

    public function test_workspace_isolation(): void
    {
        $user1 = User::factory()->create(['workspace_id' => 1]);
        $user2 = User::factory()->create(['workspace_id' => 2]);

        $post = Post::factory()->create(['workspace_id' => 1]);

        $this->assertTrue($user1->can('view', $post));
        $this->assertFalse($user2->can('view', $post));
    }
}
```

## Best Practices

### 1. Always Check Workspace Boundaries

```php
// ✅ Good - workspace check
public function view(User $user, Post $post): bool
{
    return $user->workspace_id === $post->workspace_id;
}

// ❌ Bad - no workspace check
public function view(User $user, Post $post): bool
{
    return true; // Data leak!
}
```

### 2. Use Policies Over Gates

```php
// ✅ Good - policy
$this->authorize('update', $post);

// ❌ Bad - manual check
if (auth()->id() !== $post->author_id) {
    abort(403);
}
```

### 3. Authorize Early

```php
// ✅ Good - authorize in mount
public function mount(Post $post)
{
    $this->authorize('update', $post);
    $this->post = $post;
}

// ❌ Bad - authorize in action
public function save()
{
    $this->authorize('update', $this->post); // Too late!
    $this->post->save();
}
```

### 4. Use Authorization Props

```blade
{{-- ✅ Good - declarative authorization --}}
<x-admin::button :can="'delete'" :model="$post">
    Delete
</x-admin::button>

{{-- ❌ Bad - manual check --}}
@if(auth()->user()->can('delete', $post))
    <x-admin::button>Delete</x-admin::button>
@endif
```

## Learn More

- [Form Components →](/packages/admin/forms)
- [Admin Menus →](/packages/admin/menus)
- [Multi-Tenancy →](/packages/core/tenancy)
docs: add package documentation Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-29 10:47:50 +00:00			`# Authorization`

			`Integration with Laravel's Gate and Policy system for fine-grained authorization in admin panels.`

			`## Form Component Authorization`

			`All form components support authorization props:`

			```blade
			`<x-admin::button`
			`:can="'publish'"`
			`:cannot="'delete'"`
			`:canAny="['edit', 'update']"`
			`>`
			`Publish Post`
			`</x-admin::button>`
			```

			`### Authorization Props`

			`can` - Single ability:

			```blade
			`<x-admin::button :can="'delete'" :model="$post">`
			`Delete`
			`</x-admin::button>`

			`{{-- Only shown if user can delete the post --}}`
			```

			`cannot` - Inverse check:

			```blade
			`<x-admin::input`
			`name="status"`
			`:cannot="'publish'"`
			`:model="$post"`
			`/>`

			`{{-- Disabled if user cannot publish --}}`
			```

			`canAny` - Multiple abilities (OR):

			```blade
			`<x-admin::button :canAny="['edit', 'update']" :model="$post">`
			`Edit Post`
			`</x-admin::button>`

			`{{-- Shown if user can either edit OR update --}}`
			```

			`## Policy Integration`

			`### Defining Policies`

			```php
			`<?php`

			`namespace Mod\Blog\Policies;`

			`use Mod\Tenant\Models\User;`
			`use Mod\Blog\Models\Post;`

			`class PostPolicy`
			`{`
			`public function view(User $user, Post $post): bool`
			`{`
			`return $user->workspace_id === $post->workspace_id;`
			`}`

			`public function create(User $user): bool`
			`{`
			`return $user->hasPermission('posts.create');`
			`}`

			`public function update(User $user, Post $post): bool`
			`{`
			`return $user->id === $post->author_id`
			`\|\| $user->hasRole('editor');`
			`}`

			`public function delete(User $user, Post $post): bool`
			`{`
			`return $user->hasRole('admin')`
			`&& $user->workspace_id === $post->workspace_id;`
			`}`

			`public function publish(User $user, Post $post): bool`
			`{`
			`return $user->hasPermission('posts.publish')`
			`&& $post->status !== 'archived';`
			`}`
			`}`
			```

			`### Registering Policies`

			```php
			`use Illuminate\Support\Facades\Gate;`
			`use Mod\Blog\Models\Post;`
			`use Mod\Blog\Policies\PostPolicy;`

			`// In AuthServiceProvider or module Boot class`
			`Gate::policy(Post::class, PostPolicy::class);`
			```

			`## Action Gate`

			`Use the Action Gate system for route-level authorization:`

			`### Defining Actions`

			```php
			`<?php`

			`namespace Mod\Blog\Controllers;`

			`use Core\Bouncer\Gate\Attributes\Action;`

			`class PostController`
			`{`
			`#[Action(`
			`name: 'posts.create',`
			`description: 'Create new blog posts',`
			`group: 'Content Management'`
			`)]`
			`public function store(Request $request)`
			`{`
			`// Only accessible to users with 'posts.create' permission`
			`}`

			`#[Action(`
			`name: 'posts.publish',`
			`description: 'Publish blog posts',`
			`group: 'Content Management',`
			`dangerous: true`
			`)]`
			`public function publish(Post $post)`
			`{`
			`// Marked as dangerous action`
			`}`
			`}`
			```

			`### Route Protection`

			```php
			`use Core\Bouncer\Gate\ActionGateMiddleware;`

			`// Protect single route`
			`Route::post('/posts', [PostController::class, 'store'])`
			`->middleware(['auth', ActionGateMiddleware::class]);`

			`// Protect route group`
			`Route::middleware(['auth', ActionGateMiddleware::class])`
			`->group(function () {`
			`Route::post('/posts', [PostController::class, 'store']);`
			`Route::post('/posts/{post}/publish', [PostController::class, 'publish']);`
			`});`
			```

			`### Checking Permissions`

			```php
			`use Core\Bouncer\Gate\ActionGateService;`

			`$gate = app(ActionGateService::class);`

			`// Check if user can perform action`
			`if ($gate->allows('posts.create', auth()->user())) {`
			`// User has permission`
			`}`

			`// Check with additional context`
			`if ($gate->allows('posts.publish', auth()->user(), $post)) {`
			`// User can publish this specific post`
			`}`

			`// Get all user permissions`
			`$permissions = $gate->getUserPermissions(auth()->user());`
			```

			`## Admin Menu Authorization`

			`Restrict menu items by permission:`

			```php
			`use Core\Front\Admin\Support\MenuItemBuilder;`

			`MenuItemBuilder::create('Posts')`
			`->route('admin.posts.index')`
			`->icon('heroicon-o-document-text')`
			`->can('posts.view') // Only shown if user can view posts`
			`->badge(fn () => Post::pending()->count())`
			`->children([`
			`MenuItemBuilder::create('All Posts')`
			`->route('admin.posts.index'),`

			`MenuItemBuilder::create('Create Post')`
			`->route('admin.posts.create')`
			`->can('posts.create'), // Nested permission check`

			`MenuItemBuilder::create('Categories')`
			`->route('admin.categories.index')`
			`->canAny(['categories.view', 'categories.edit']),`
			`]);`
			```

			`## Livewire Modal Authorization`

			`Protect Livewire modals with authorization checks:`

			```php
			`<?php`

			`namespace Mod\Blog\View\Modal\Admin;`

			`use Livewire\Component;`
			`use Illuminate\Foundation\Auth\Access\AuthorizesRequests;`

			`class PostEditor extends Component`
			`{`
			`use AuthorizesRequests;`

			`public Post $post;`

			`public function mount(Post $post)`
			`{`
			`// Authorize on mount`
			`$this->authorize('update', $post);`

			`$this->post = $post;`
			`}`

			`public function save()`
			`{`
			`// Authorize action`
			`$this->authorize('update', $this->post);`

			`$this->post->save();`

			`$this->dispatch('post-updated');`
			`}`

			`public function publish()`
			`{`
			`// Custom authorization`
			`$this->authorize('publish', $this->post);`

			`$this->post->update(['status' => 'published']);`
			`}`
			`}`
			```

			`## Workspace Scoping`

			`Automatic workspace isolation with policies:`

			```php
			`class PostPolicy`
			`{`
			`public function viewAny(User $user): bool`
			`{`
			`// User can view posts in their workspace`
			`return true;`
			`}`

			`public function view(User $user, Post $post): bool`
			`{`
			`// Enforce workspace boundary`
			`return $user->workspace_id === $post->workspace_id;`
			`}`

			`public function update(User $user, Post $post): bool`
			`{`
			`// Workspace check + additional authorization`
			`return $user->workspace_id === $post->workspace_id`
			`&& ($user->id === $post->author_id \|\| $user->hasRole('editor'));`
			`}`
			`}`
			```

			`## Role-Based Authorization`

			`### Defining Roles`

			```php
			`use Mod\Tenant\Models\User;`

			`// Assign role`
			`$user->assignRole('editor');`

			`// Check role`
			`if ($user->hasRole('admin')) {`
			`// User is admin`
			`}`

			`// Check any role`
			`if ($user->hasAnyRole(['editor', 'author'])) {`
			`// User has at least one role`
			`}`

			`// Check all roles`
			`if ($user->hasAllRoles(['editor', 'reviewer'])) {`
			`// User has both roles`
			`}`
			```

			`### Policy with Roles`

			```php
			`class PostPolicy`
			`{`
			`public function update(User $user, Post $post): bool`
			`{`
			`return $user->hasRole('admin')`
			`\|\| ($user->hasRole('editor') && $user->workspace_id === $post->workspace_id)`
			`\|\| ($user->hasRole('author') && $user->id === $post->author_id);`
			`}`

			`public function delete(User $user, Post $post): bool`
			`{`
			`// Only admins can delete`
			`return $user->hasRole('admin');`
			`}`
			`}`
			```

			`## Permission-Based Authorization`

			`### Defining Permissions`

			```php
			`// Grant permission`
			`$user->givePermission('posts.create');`
			`$user->givePermission('posts.publish');`

			`// Check permission`
			`if ($user->hasPermission('posts.publish')) {`
			`// User can publish`
			`}`

			`// Check multiple permissions`
			`if ($user->hasAllPermissions(['posts.create', 'posts.publish'])) {`
			`// User has all permissions`
			`}`

			`// Check any permission`
			`if ($user->hasAnyPermission(['posts.edit', 'posts.delete'])) {`
			`// User has at least one permission`
			`}`
			```

			`### Policy with Permissions`

			```php
			`class PostPolicy`
			`{`
			`public function create(User $user): bool`
			`{`
			`return $user->hasPermission('posts.create');`
			`}`

			`public function publish(User $user, Post $post): bool`
			`{`
			`return $user->hasPermission('posts.publish')`
			`&& $post->status === 'draft';`
			`}`
			`}`
			```

			`## Conditional Rendering`

			`### Blade Directives`

			```blade
			`@can('create', App\Models\Post::class)`
			`<a href="{{ route('posts.create') }}">Create Post</a>`
			`@endcan`

			`@cannot('delete', $post)`
			`<p>You cannot delete this post</p>`
			`@endcannot`

			`@canany(['edit', 'update'], $post)`
			`<a href="{{ route('posts.edit', $post) }}">Edit</a>`
			`@endcanany`
			```

			`### Component Visibility`

			```blade
			`<x-admin::button`
			`:can="'publish'"`
			`:model="$post"`
			`wire:click="publish"`
			`>`
			`Publish`
			`</x-admin::button>`

			`{{-- Automatically hidden if user cannot publish --}}`
			```

			`### Form Field Disabling`

			```blade
			`<x-admin::input`
			`name="slug"`
			`:cannot="'edit-slug'"`
			`:model="$post"`
			`/>`

			`{{-- Disabled if user cannot edit slug --}}`
			```

			`## Authorization Middleware`

			`### Global Middleware`

			```php
			`// app/Http/Kernel.php`
			`protected $middlewareGroups = [`
			`'web' => [`
			`// ...`
			`\Core\Bouncer\Gate\ActionGateMiddleware::class,`
			`],`
			`];`
			```

			`### Route Middleware`

			```php
			`// Require authentication`
			`Route::middleware(['auth'])->group(function () {`
			`Route::get('/admin', [AdminController::class, 'index']);`
			`});`

			`// Require specific ability`
			`Route::middleware(['can:create,App\Models\Post'])->group(function () {`
			`Route::get('/posts/create', [PostController::class, 'create']);`
			`});`
			```

			`## Testing Authorization`

			```php
			`use Tests\TestCase;`
			`use Mod\Blog\Models\Post;`
			`use Mod\Tenant\Models\User;`

			`class AuthorizationTest extends TestCase`
			`{`
			`public function test_user_can_view_own_posts(): void`
			`{`
			`$user = User::factory()->create();`
			`$post = Post::factory()->create(['author_id' => $user->id]);`

			`$this->assertTrue($user->can('view', $post));`
			`}`

			`public function test_user_cannot_delete_others_posts(): void`
			`{`
			`$user = User::factory()->create();`
			`$post = Post::factory()->create(); // Different author`

			`$this->assertFalse($user->can('delete', $post));`
			`}`

			`public function test_admin_can_delete_any_post(): void`
			`{`
			`$admin = User::factory()->create();`
			`$admin->assignRole('admin');`

			`$post = Post::factory()->create();`

			`$this->assertTrue($admin->can('delete', $post));`
			`}`

			`public function test_workspace_isolation(): void`
			`{`
			`$user1 = User::factory()->create(['workspace_id' => 1]);`
			`$user2 = User::factory()->create(['workspace_id' => 2]);`

			`$post = Post::factory()->create(['workspace_id' => 1]);`

			`$this->assertTrue($user1->can('view', $post));`
			`$this->assertFalse($user2->can('view', $post));`
			`}`
			`}`
			```

			`## Best Practices`

			`### 1. Always Check Workspace Boundaries`

			```php
			`// ✅ Good - workspace check`
			`public function view(User $user, Post $post): bool`
			`{`
			`return $user->workspace_id === $post->workspace_id;`
			`}`

			`// ❌ Bad - no workspace check`
			`public function view(User $user, Post $post): bool`
			`{`
			`return true; // Data leak!`
			`}`
			```

			`### 2. Use Policies Over Gates`

			```php
			`// ✅ Good - policy`
			`$this->authorize('update', $post);`

			`// ❌ Bad - manual check`
			`if (auth()->id() !== $post->author_id) {`
			`abort(403);`
			`}`
			```

			`### 3. Authorize Early`

			```php
			`// ✅ Good - authorize in mount`
			`public function mount(Post $post)`
			`{`
			`$this->authorize('update', $post);`
			`$this->post = $post;`
			`}`

			`// ❌ Bad - authorize in action`
			`public function save()`
			`{`
			`$this->authorize('update', $this->post); // Too late!`
			`$this->post->save();`
			`}`
			```

			`### 4. Use Authorization Props`

			```blade
			`{{-- ✅ Good - declarative authorization --}}`
			`<x-admin::button :can="'delete'" :model="$post">`
			`Delete`
			`</x-admin::button>`

			`{{-- ❌ Bad - manual check --}}`
			`@if(auth()->user()->can('delete', $post))`
			`<x-admin::button>Delete</x-admin::button>`
			`@endif`
			```

			`## Learn More`

			`- [Form Components →](/packages/admin/forms)`
			`- [Admin Menus →](/packages/admin/menus)`
			`- [Multi-Tenancy →](/packages/core/tenancy)`