Authorization
- How it works
- Responses
- Assign Roles & Permission to the Testing User
- Seeding some users (Admins)
- Roles & Permissions guards
Apiato provides a Role-Based Access Control (RBAC) through its Authorization Container.
Behind the scenes apiato is using the Laravel's authorization functionality that was introduced in version 5.1.11 with the helper package laravel-permission. So you can always refer to the correspond documentation for more information.
How it works
Authorization in apiato is very simple and easy.
-
Create some Roles and permissions. By default, an
admin
role and some permissions are provided by Apiato. You can find the code inapp/Containers/AppSection/Authorization/Data/Seeders/*
directory. -
Attach some permissions to the roles.
-
Now start creating users (or use existing users), to assign them to the new created Roles.
-
Finally, you need to protect your endpoints by Permissions (or/and Roles). The right place to do that is the Requests class.
Example protecting the (delete user) endpoint with delete-users
permission:
class DeleteUserRequest extends Request
{
protected array $access = [
'permissions' => 'delete-users',
'roles' => '',
];
public function authorize(): bool
{
return $this->check([
'hasAccess',
]);
}
}
For detailed explanation of this example, please visit the Requests Page.
Responses
Authorization failed JSON response:
{
"message": "This action is unauthorized."
}
Assign Roles & Permission to the Testing User
You will need to set $access
property in your test class, check out the Tests Helpers page for more details.
Seeding some users (Admins)
By default, Apiato comes with a Super Admin
.
This Super Admin Credentials are:
- email: [email protected]
- password: admin
This Admin seeded by app/Containers/Authorization/Data/Seeders/AuthorizationDefaultUsersSeeder_3.php
.
The Default Super User, has a default role admin
.
The admin
default role has no permissions given to it.
To give permissions to the admin
role (or any other role), you can use the dedicated endpoints (from your custom Admin Interface) or use this command php artisan apiato:permissions:toRole admin
to give it all the permissions in the system.
Checkout each container Seeders directory app/Containers/AppSection/{container-name}/Data/Seeders/
, to edit the default Users, Roles and Permissions.
Roles & Permissions guards
By default, Apiato uses a single guard called web
for all it's roles and permissions, you can add/edit this behavior and support multiple guards at any time. Refer to the laravel-permission package for more details.