Closed v-stamenova closed 1 month ago
For the file format, I would suggest a YML, structured like:
# The YML file format allows for comments to be added to the file.
# This makes it possible to add explanations to the file.
# The roles are defined in the roles section of the file.
roles:
- admin # The admin role has the highest level of access.
- editor # The editor role has the second highest level of access.
- user # The user role has the lowest level of access.
# The permissons are grouped per resource and action.
# The roles that are allowed to perform the action are listed under the action.
permissions:
article:
create:
# defined as an array
[admin, editor]
read:
[admin, editor, user]
update:
# defined as a sequence
- admin
- editor
destroy:
- admin
comment:
create:
- admin
- editor
- user
read:
- admin
- editor
- user
update:
- admin
- editor
destroy:
- admin
Open questions here are:
For the naming convention, different examples can be found. It appears to be personal preference. Considerations might be:
@can("edit-article", $atricle)
") is more expressiveFor the admin command, I suggest to merge this into the UpsertMasterData.php
command. and while we are at it, why not transfer all the masterdata into this structure?
UPDATE: adding more config features, like atomic and resource permissions:
permissions:
like-page: [editor, user] # an atomic permission
launch-nuke: [admin] # another atomic permission
# Next are nested permissions. These are grouped per resource and action.
article:
create: [admin, editor] # These roles are defined as an array
update:
# These roles are defined as a sequence
- admin
- editor
destroy:
- admin
To implement this, we need to:
/config
folderphp artisan permissions:upsert
) that synchronizes the roles and permissions in the database with the definition filesEdit: We need to change the term 'upsert' into 'synchronize'. This because upsert will either insert new or update exiting items and does NOT delete items that shouldn't be in the database anymore.