dusk cosmos
I have an app where regular users report accidents within the company. HR has requested that all users are able to view the accident reports but unless it's their own report or they're a manager then various information is redacted/hidden such as names, etc.
Would this be a policy/authorization thing or how would you approach this?
To me, policies and gates are typically for the entire record, not necessarily for hiding specific details but maybe I'm wrong?
royal thorn
My initial gut feeling tells me i'd do that in a resource
I do share the same thought that gates/policies are for the entire thing and perhaps also just "actions"
i mean, "seeing" a whole record is an action, but i'd not transform the data there to perform the sanitation there
dusk cosmos
Thanks for confirming. I'll try to think of a way to do this cleanly without policies
Looks like there are packages out there for redacting data on models but unsure if I want to pull in a whole package to do this 😄
royal thorn
I guess you could also implement DTOs as that is what is happening right?
Even if tied to some sort of permission
dusk cosmos
ya also a good idea but this project is being worked on by a new hire/junior and bringing in a new concept like that right now might be overwhelming.
royal thorn
Oh definetly
two resouce classes could work too, one for either and inside the controller based on the user do the decision?
that'd be plain simple
but either way, you'll find a good approach
winged ember
You would use Policies for accessing single record information or updating a record but you can use a Model scope for something like this