Databases
StackOverflow2013
Postsdbo
PORow level permissions and Laravel app structuring
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PORow level permissions and Laravel app structuring
    text
    copied!<p>I'd like to ask other opinions about code structuring of business logic on Laravel applications, mainly regarding permissions at the row level.</p> <p>For those that don't know it, Laravel is a MVC framework for PHP, much like Rails.</p> <p>For the sake of understanding, let's suppose a multi-tenant application where each user has his own albums and pictures, so far so good.</p> <ul> <li>Now, each user can invite others to collaborate (by uploading photos) into his album.</li> <li>Both, the album's owner and collaborator that uploaded the picture may be able to delete or update information about that picture.</li> <li>Only the owner may edit the album and invite new collaborators.</li> <li>Collaborators can remove themselves of the album if they want so.</li> </ul> <p>Pinterest should be a nice example of something similar, but our application is probably 3 or 4 times more complex. The question is: where should I handle that kind of logic?</p> <p>Laravel proposes the approach of having repositories, entities and services, which I don't fully understand, probably because of the lack of good examples. So the obvious first choice to meet those deadlines was to put it all on controllers (ew!). Now, digging into refactoring, there are many possible ways to un'spaghettize our code:</p> <ul> <li>I've seen people implement ACL at row level (looks kinda dumb and overkill)</li> <li>It would be possible to turn models into behavior aware objects and not only data containers, something like <code>$album-&gt;add_photo($photo)</code> and check permissions at that function</li> <li>It would also be possible to override model's save method and do there those checks</li> <li>Or, follow the Laravel proposed road of having separate layers of concern</li> </ul> <p>I suppose that having methods like <code>$album-&gt;can_be_edited_by($user)</code> may simplify the displaying of 404 erros on routes not allowed, hiding view's links as well as validating before saving the models</p> <p>Which would you recommend, and does anyone know any simple, but understandable, example of repositories, entities and services not using .NET? Thanks!</p> <p><strong>Edit:</strong> I guess that a full ACL system would cause excessive overhead, since there may be thousands of resources associated with each user, but only one role per kind of association. For instance, pictures will have an <code>uploader_id</code> and albums will have an <code>owner_id</code>.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload