Personal blog by Mark Topper

Using Policies in Laravel Voyager

7 months ago · 2 MIN READ
#Laravel  #Voyager 

I created this post because of a question I saw on Stack Overflow.

You might want to make only some people able to modify a special page on Voyager for example.

In Voyager v1.0, this can be done with the implementation of policies.

In this guide I will make it so only users with a @ulties.com email can modify page number 1 and 2, but everyone else can modify any other pages.

This is just for example purpose and can of cause be used in terms of grouping pages to different roles or users more effectively.

First what we need to do is to create a Policy. We can do this by running php artisan make:policy name-of-policy. For this I am gonna call it PagePolicy and then running php artisan make:policy PagePolicy.

Once you have ran that command you now have a file at app/Policies/PagePolicy. Now lets tell Voyager to use our new policy, for this we will go to the menu Tools > Database and then we will click Edit BREAD next to the pages table.

Here we have all the fields and configurations set for the pages table. We can there insert the policy as App\Policies\PagePolicy.

If you now go to the Pages menu item it will use the newly created policy. At first you may not see anything, but that is because by default the policy gives anyone access to browse anything. Therefor lets try disallowing everyone to browse the pages, we can do this by adding the following method to our policy.

    public function browse(User $user)
        return false;

Now if you refresh the pages page, you should get an AccessDeniedHttpException. So then we can confirm that it works. Then change it back to true, since we do want people to browse the pages.

Then lets add another method. Voyagers BREAD have 5 different permission methods:

Browse Read Edit Add Delete Therefor the name BREAD. So in order for us to disallow some users editing some pages, we need the edit method:

    public function edit(User $user, \TCG\Voyager\Models\Page $page)
        return false;

Now if you try to edit anything, you can see that we get the same exception, which is good. You might already have noticed that we get the authenticated user along with the page they are trying to edit,

Well, you see that we get both the authenticated user and the page they are trying to edit. So there we can make a statement instead of just returning false. For my case I want to allow anyone that have the @ulties.com email to access page number 1 and 2, but everyone to access any other page. This can be done like this:

    public function edit(User $user, \TCG\Voyager\Models\Page $page)
        if (in_array($page->id, [1, 2])) {
            return ends_with($user->email, '@ulties.com');

        return true;

Now you can go implement any kind of security checks for your Voyager BREAD.

Have fun ~ Mark Topper


Mark Topper

I'm a software developer from Denmark working at Novasa Interactive ApS with the responsibility of their web servers and API structure. I am also a big contributor of open source projects on Github.
comments powered by Disqus

Proudly powered by Canvas · Sign In