Authorization

[zippoxer]

How can authorize the viewing and editing of pages & options?

We're interested in completely disabling these features for specific users.

We tried registering a NovaPagePolicy and returning false in viewAny and the rest, but it didn't do anything. Everyone could still see "Pages" and "options" in the menu, and could also edit them.

This is how we tried registering the policy in AuthServiceProvider::boot:

        Gate::policy(Manager::class, NovaPagePolicy::class);
        Gate::policy(Template::class, NovaPagePolicy::class);

Is it not the way to go with authorization here?

[toonvandenbos]

Hi @zippoxer,

For the moment, we didn't work much on authorization & policies within this package.

We do automatically include an Authorize middleware for the internal API calls, however we did not configure a canSee callback on the Tool, meaning the authorization will always pass. You could include your own authorization rules during the tool's registration, hope this helps.

I'm not sure if there is more we could do. If you have a better idea, and you're willing to take a look at this issue, feel free to submit a PR. We'll be glad to help, ask your questions here or on the PR's thread.

[zippoxer]

@Nyratas

Thanks. In the meantime, this works for me in NovaServiceProvider.php:

    /**
     * Get the tools that should be listed in the Nova sidebar.
     *
     * @return array
     */
    public function tools()
    {
        return [
            \Whitecube\NovaPage\NovaPageTool::make()->canSee(function ($request) {
                return $request->user()->isAdmin();
            }),
        ];
    }

[toonvandenbos]

Great to hear!

I'm closing this issue now, I don't think we'll add more authorization capabilities soon. However, feel free to suggest changes.