Integration with spatie-laravel-permissions

[projct1]

Hello)

I am developing an application with two separate servers, api + ui. A question arose. How can I correctly use the laravel-permission library to do v-can type checks for rendering ui elements? Something like the https://github.com/dystcz/nuxt-permissions library, only with importing permissions from the laravel-permissions library.

[manchenkoff]

Hey @projct1, I've never worked with laravel-permissions package before, but after a quick look at their docs I assume you are referring to Blade directives, right?

@can('edit articles')
  // Code visible only for users with permissions
@endcan

If you can provide some code sample, that would be nice as well

[projct1]

Here is the best example https://youtu.be/r3JKDe6V8xk?si=pr-yfnCRQGLk-K5J&t=122

[projct1]

Now I see something like this:

1. In our main auth route, we give all permissions along with the user:

Route::get('user', function(Request $request) {
    $user = $request->user();

    $user->can = $user->getPermissionsViaRoles()->flatMap(
        fn($permission) => [ $permission->name => $user->can($permission->name) ]
    );

    return $user;
})->middleware('auth:sanctum');

2. A new composition of the usePermissions type appears in the nuxt-auth-sanctum library. Otherwise, it will have to be implemented manually :)

[manchenkoff]

Okay, I see, thanks for the reference. If you go this way, you can just use useSanctumUser composable to extract permissions via user.can property. I do not see any benefit of having usePermissions on the module level, especially since this functionality is not a part of Sanctum, but some external package which people might not use at all.

I would suggest implementing this helper composable as a part of your application, as you mentioned. However, keep in mind, that user identity is not refetched while you are navigating between pages, so if some permissions have been revoked or assigned, you have to refetch identity manually via refreshIdentity method available as a part of useSanctumAuth composable.

[projct1]

@manchenkoff, by the way, this is a bit off topic, but could you please give me a hint?

class PlacePolicy
{
    public function edit(User $user, Place $place): bool
    {
        return true;
    }
}

class PlaceController extends Controller
{
    public function edit(Place $place): Place
    {
        return $place;
    }
}

//api.php
Route::get('places/{place}', [PlaceController::class, 'edit'])->middleware('auth:sanctum', 'can:edit,place');

I get a 403 access error.
If I remove can:edit,place, everything works. Most likely the problem is that the authorization auth:sanctum passes, but in the next middleware (can:edit,place) $request->user() returns null. Is this how it should be?

P. S. I using nuxt-auth-sanctum library and getting requests from ui server.

[manchenkoff]

Hey @projct1 , not really sure what can be the reason, but have you tried to use $request->user('sanctum') in the middleware?

[projct1]

Hey @projct1 , not really sure what can be the reason, but have you tried to use $request->user('sanctum') in the middleware?

My policy method doesn't even run because $user is null for some reason, although the previous middleware worked correctly. If I do it so that I get inside the policy method, but with a nullable user:

class PlacePolicy
{
    public function edit(?User $user, Place $place): bool
    {
        // now $user is null here
        
        return true;
    }
}

[manchenkoff]

I see, afaik sanctum token is compatible with abilities checking, but I've never tried it together with the way you are doing, so I'd recommend checking the official docs. I don't think this issue is related to sanctum specifically.