vantage/authorized-attributes

Authorized Model Attributes for Laravel

Maintainers

Details

github.com/vantageoy/authorized-attributes

Source

Issues

Installs: 22 749

Dependents: 0

Suggesters: 0

Security: 0

Stars: 23

Watchers: 1

Forks: 8

Open Issues: 6

v5.0.0 2019-11-10 15:13 UTC

Requires

Requires (Dev)

MIT ab2c1151712d5f6635df57740e5f05902db1b971

  • Jari Pekkala <jari.woop@vantage.fi>

authorizationattributeslaravelhidden

This package is auto-updated.

Last update: 2025-03-29 00:49:16 UTC

README

Provides ability to dynamically add $hidden and $fillable columns to the models.

Also see Laravel API Resources if that approach suits your needs.

Installation

Require the package to your Laravel project.

composer require vantage/authorized-attributes

Usage

Please note that this package falls back to the core Guard and there are some minor differences of writing the policies between Laravel versions. See the official docs at https://laravel.com/docs/authorization

Use the Vantage\AuthorizedAttributes trait

<?php

namespace App;

use Illuminate\Database\Eloquent\Model;
use Vantage\AuthorizedAttributes;

class Post extends Model
{
    use AuthorizedAttributes;

    /**
     * The attributes that should be fillable from requests.
     *
     * @var array
     */
    protected $fillable = ['title', 'content', 'author_id'];

    /**
     * The attributes that should be hidden for serialization.
     *
     * @var array
     */
    protected $hidden = ['draft'];
}

Create and register a model policy.

<?php

namespace App\Policies;

use App\Post;
use App\User;

class PostPolicy
{
    /**
     * Determine if an draft attribute can be seen by the user.
     *
     * @param  \App\User  $user
     * @param  \App\Post  $post
     * @return bool
     */
    public function seeDraft(User $user, Post $post)
    {
    	// Post drafts can only be seen by admins and the post author
        return $user->isAdmin() || $user->created($post);
    }

    /**
     * Determine if the author_id attribute can be changed by the user.
     *
     * @param  \App\User  $user
     * @param  \App\Post  $post
     * @return bool
     */
    public function editAuthorId(User $user, Post $post)
    {
    	// Admins can re-assign the author for non-published posts
        return $user->isAdmin() && $post->isNotPublished();
    }
}

Customization

Mixin with always hidden attributes

The attributes will be hidden if no policy or ability are found as they would normally be.

Modify the ability method names

<?php

use Illuminate\Support\Str;

class Post extends Model
{
    /**
     * Get the method name for the attribute visibility ability in the model policy.
     *
     * @param  string  $attribute
     * @return string
     */
    public function getAttributeViewAbilityMethod($attribute)
    {
        return 'see'.Str::studly($attribute);
    }

    /**
     * Get the model policy ability method name to update an model attribute.
     *
     * @param  string  $attribute
     * @return string
     */
    public function getAttributeUpdateAbilityMethod($attribute)
    {
        return 'edit'.Str::studly($attribute);
    }
}