Question: Possible to use relationship data during authorisation of an update?

[CarstenRuetz]

Hi all,

First of all, thanks for the great work, I’m starting to love this library :)

My question: I want to do some custom authorisation checks when updating a relationship.

Example: A File always belongs to one User. A Person has many Files (where File is an actual Laravel Model).

Now, say I log in as User ‘Carsten’ and as a contact I have Person ‘Dave’. Now I want to update Person Dave and create a relationship from Person Dave to some File X. However, I should only be allowed to do this if that File X actually belongs to me, User ‘Carsten’.

I understand how I can do this when using the relationship endpoints of Person (i.e. /people/1/relationships/files): Create a custom Authorizer, adapt the method updateRelationship() by checking in $request->toMany if it only contains files that are related to User ‘Carsten’.

But is there a way to do such detailed checks on relationships when running an update on person in general? So a request to /people/1 goes through the Authorizer method update(...)

    public function update(Request $request, object $model): bool
    {
        Log::debug('PersonAuthorizer UPDATE', [$model]);

        return $this->gate->check(
            'update',
            $model
        );

        // return true;
    }

But is there a way to access the relationship data here? I cannot use $request->toMany, also validation has not run yet, so no $request->validated(). Parameter $model just gives the model (I guess queried from the database)

Is there ANY way to check on the relationship data here?

[lindyhopchris]

Thanks, glad to hear you are enjoying using the package.

I'm unclear why you just can't access the relationship from the model?