panel
panel copied to clipboard
pelican-dev
Use `Policies` rather then overriding `can*()` functions
Closes #1831
Made this a Draft cause Filament doesn't seem to call them everywhere atm.
📝 Walkthrough
Walkthrough
This PR refactors authorization by removing can*() methods from Filament Resources and replacing them with centralized Model Policies in Admin and Server namespaces. A dynamic policy resolution system is added to AppServiceProvider to map policies based on panel context. View action visibility conditions are updated to use authorization response objects instead of direct checks.
Changes
| Cohort / File(s) | Summary |
|---|---|
Filament Server Resources - Authorization Method Removal app/Filament/Server/Resources/Activities/ActivityResource.php, app/Filament/Server/Resources/Allocations/AllocationResource.php, app/Filament/Server/Resources/Backups/BackupResource.php, app/Filament/Server/Resources/Databases/DatabaseResource.php, app/Filament/Server/Resources/Files/FileResource.php, app/Filament/Server/Resources/Users/UserResource.php |
Removed canViewAny(), canCreate(), canEdit(), canDelete() authorization methods; ScheduleResource additionally updated ViewAction visibility to use getEditAuthorizationResponse() |
Admin Policies - Namespace Migration app/Policies/Admin/ApiKeyPolicy.php, app/Policies/Admin/DatabaseHostPolicy.php, app/Policies/Admin/DefaultPolicies.php, app/Policies/Admin/EggPolicy.php, app/Policies/Admin/MountPolicy.php, app/Policies/Admin/NodePolicy.php, app/Policies/Admin/RolePolicy.php, app/Policies/Admin/UserPolicy.php, app/Policies/Admin/WebhookConfigurationPolicy.php |
Moved namespace from App\Policies to App\Policies\Admin |
Server Policies - New Authorization Implementation app/Policies/Server/ActivityLogPolicy.php, app/Policies/Server/AllocationPolicy.php, app/Policies/Server/BackupPolicy.php, app/Policies/Server/DatabasePolicy.php, app/Policies/Server/FilePolicy.php, app/Policies/Server/SchedulePolicy.php, app/Policies/Server/UserPolicy.php |
Added new policy classes with viewAny(), view(), create(), edit(), delete() methods delegating to permission checks against Filament tenant |
Policy Reorganization app/Policies/DatabasePolicy.php (deleted), app/Policies/Admin/ServerPolicy.php (added), app/Policies/Server/ServerPolicy.php |
Removed root-level DatabasePolicy; added ServerPolicy to Admin namespace with DefaultPolicies trait; migrated ServerPolicy to Server namespace with updated __call() signature and removed trait usage |
AppServiceProvider - Dynamic Policy Resolution app/Providers/AppServiceProvider.php |
Refactored Gate::before() to arrow function; added Gate::guessPolicyNamesUsing() callback to dynamically resolve policy class names based on current panel ID and model class |
Admin Resources - View Action Updates app/Filament/Admin/Resources/DatabaseHosts/DatabaseHostResource.php, app/Filament/Admin/Resources/Mounts/MountResource.php, app/Filament/Admin/Resources/Roles/RoleResource.php, app/Filament/Admin/Resources/Users/UserResource.php, app/Filament/Admin/Resources/Webhooks/WebhookResource.php |
Updated ViewAction visibility conditions from canEdit($record) to getEditAuthorizationResponse($record)->allowed() |
Possibly related PRs
- pelican-dev/panel#1768: Both PRs modify ActivityResource authorization handling—the retrieved PR updates
canViewAny()while this PR removes it entirely in alignment with Filament v4 migration. - pelican-dev/panel#1937: Both PRs reorganize the same policy classes (ApiKeyPolicy, DatabaseHostPolicy, etc.) with namespace and structure changes.
Pre-merge checks
❌ Failed checks (1 warning)
| Check name | Status | Explanation | Resolution |
|---|---|---|---|
| Docstring Coverage | ⚠️ Warning | Docstring coverage is 21.95% which is insufficient. The required threshold is 80.00%. | You can run @coderabbitai generate docstrings to improve docstring coverage. |
✅ Passed checks (4 passed)
| Check name | Status | Explanation |
|---|---|---|
| Title check | ✅ Passed | The PR title clearly and concisely describes the main change: migrating from overriding can*() functions to using Policies instead. |
| Description check | ✅ Passed | The PR description references the linked issue #1831 and explains the draft status, which relates directly to the policy refactoring work being performed. |
| Linked Issues check | ✅ Passed | The PR successfully implements all coding requirements from issue #1831: removes can*() overrides from Resource classes, creates new Policy classes with appropriate authorization methods, reorganizes policies into Admin/Server namespaces, and updates AppServiceProvider with guessPolicyNamesUsing() to support dynamic policy resolution. |
| Out of Scope Changes check | ✅ Passed | All changes are directly scoped to the policy refactoring objective. Admin resources are updated to use getEditAuthorizationResponse() instead of canEdit(), and there are no unrelated modifications detected in the changeset. |
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.
Comment @coderabbitai help to get the list of available commands and usage tips.
![coderabbitai[bot] avatar](https://avatars.githubusercontent.com/in/347564?v=4 "Published by a pub.dev verified publisher"){kind=small}
✅ Actions performed
Review triggered.
Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.