#Best practice policy check

Hello, maybe I'm completely wrong but what is the best way to check if a user is allowed to edit a model if its a longer relation chain?

For example:
user -> team -> event -> timetable -> days -> locations -> acts

What is the best practice to check if the user is allowed to edit the act?

Current possibilities I can think of:

1. Get event by current team, get timetable by event, ..., get act by stage.
2. Put an team relation to every model in the chain and just check the current Team.
3. Make hasManyThrough's in between

Thanks in advance!

You can load the user easily by just following the chain backwards. $act->load('location.day.timetable.event.team.user')

With relations like this, child relations usually depend on parent relations. For example, if a user does not have access to the team in the request, then it’s very unlikely they’re going to be able to manipulate any child resources belonging to that team and its relations.

So, I’ll “stack” policy checks like this:

$this->middleware('can:update,team');
$this->middleware('can:update,event');

And so on.

If the user cannot update the team in the request, then none of the other policies are going to get checked as it would be redundant.

If the user can’t update the team, then they’re definitely not going to be able to update any events belongs to that team.

Thanks, haven't seen this one so far I'm going to look into it!

Thanks, this one looks more structured through the app but it means you pass every parent id with the route?

For example:
Route::post('event/{event_id}/timetable/{timetable_id}/day/{day_id}/location/{location_id}/act/{act_id}/update', ..controller..)->name('act.update');

Yes, although I can’t say I’ve every had a resource with that many parameters…

There's also a plausible scenario where a user can create/update events for a team but not update the actual team

But in general, yes, go back trough the relation chain to where you know that if a user has access to a parent they should also have access to the children and authorize that

Was thinking about something simpler but couldn't come up with something. I guess the only way to simplify it would be adding a team or event relation to the act. Or a schema which I can't think of.

I think for that scenario I would change the can:update to a can view or belongs to the team policy.
Looks like I need to mix the Jetstream permissions with custom policies.

Its now a mixed solution between both of your answers.
I use the policies and inside the policies I check if the user has the permission and if the model is owned by the event. By just stacking the Policies I couldn't figure out how to check for the ownership.
No idea if that is the best solution but it works! 🙂
public function update(User $user, Act $act) { return $user->hasTeamPermission($user->currentTeam, 'act:update') && $user->currentTeam->id === $act->dayStage->day->timetable->event->team_id; }

You wouldn’t need to check for ownership, because if you’re using route–model binding then Laravel will automatically scope child bindings: https://laravel.com/docs/10.x/controllers#scoping-nested-resources

Hmm then I did something wrong. I was able to delete an act from another team.
Thanks Im going to read into it!