Has there been any updates made to granting a role for a specific model?

[LeydianeAlves]

HI, thanks for providing this package!

I was wondering if the feature for granting a role only for a given model or record is still a work in progress?

In my case, I’m looking to restrict a role to a specific organisation, and the restricted_to_id and restricted_to_type columns seem perfect for that. I already have a set of roles in use, so I’d prefer not to re-create them as organisation-specific roles.

If you need any help with completing this feature, I’d be happy to contribute. Alternatively, if you're able to share an estimated timeline for its completion, I’d appreciate that too.

[lrljoe]

Assigning a role to a user, only for a Model?

You can certainly assign an Ability for a User for a Model.

Alternatively, you could use the "Owns" approach?

Or

You could use the Scope approach.

[morris14]

+1 on this.

I have 3 models in my app: User, Location, Invoice.

My goal is to be able to add abilities that control what a user can do on an invoice (view, edit, delete, etc...), those abilities would then be assigned to different roles, e.g. Location Manager... and then the Location Manager role can be assigned to a User on 1 or many different Locations.

As @LeydianeAlves says, from the assigned_roles db table, it looks like this should be doable given the restricted_to_id and restricted_to_type columns, but I can't see methods to achieve this like you can with abilities?

Thanks!

[lrljoe]

Are you intending to apply it on a per-Model basis?
If there's some rules for when it should/shouldn't apply, then the "owns" is a good way to introduce that logic.

E.g. a user can manage any Location that they own.

[LeydianeAlves]

Allowing an ability to a user for a specific model (or via ownership) is an option, however, for role-centric applications that need to have a list of general abilities per role, assigning these roles gets tricky when all the abilities need to be specific to a model.

I could say that all admins should be able to ban-users but that's too general if it should apply to Account model. If one admin should only be able to ban-users for AccountA and another for AccountB, then I need to allow that ability for the specific Account model on the User level and not the Role level.

Bouncer::allow($userA)->to("ban-users", $AccountA)
Bouncer::allow($userB)->to("ban-users", $AccountB)

This makes it tricky to manage abilities per role, or to determine what each role can do as the abilities per models grow, as it's micromanaged on the user level.

Another issue is when all your roles are global roles, it becomes tricky to find out who are all the admins for AccountA if you have multiple roles that should be able to ban-users and users that can have a role for multiple Accounts .

By allowing general roles to general abilities and assigning a role to a user for a specific model, a user can be an admin only for AccountA and AccountB and all those general abilities given via the role only apply to those accounts. If we in the future wanted to re-define what an admin could do, this would be so much easier.

[lrljoe]

@LeydianeAlves - can you give a proper use case for this, as I think either scopes, or properly defined ownerships would work here.