Authorization
Apiato provides a Role-Based Access Control (RBAC) through its Authorization Container. Behind the scenes, Apiato uses the Laravel Permission package.
How it works
Authorization in Apiato is indeed straightforward and easy. It operates by linking permissions to roles and then assigning roles to users.
To implement the authorization process, follow these steps:
- Create Roles and Permissions
- Attach Permissions to Roles
- Attach Roles and/or Permissions to Users
- Protect Endpoints with Permissions and/or Roles
To protect your endpoints,
you have to specify the required permissions and/or roles in the Request class.
In doing so, you can check whether the current user has the necessary access rights to reach a particular endpoint.
By verifying permissions and roles at the request level,
you ensure that unauthorized users are denied access before any further processing takes place.
Apiato comes with some default Roles and Permissions.
You can find them in app/Containers/AppSection/Authorization/Data/Seeders.
You can use them as a starting point, or delete them and create your own.
Code Example
Protecting the delete user endpoint with delete-users permission:
use App\Ship\Parents\Requests\Request as ParentRequest;
class DeleteUserRequest extends ParentRequest
{
protected array $access = [
'permissions' => 'delete-users',
'roles' => '',
];
public function authorize(): bool
{
return $this->hasAccess();
}
}
Authorization failed JSON response:
{
"message": "This action is unauthorized.",
"errors": []
}