Skip to main content

Permissions

Qore stores permissions as named records grouped by category. Resources, menus, policies and the roles-and-permissions UI all use the same permission names.

When adding a resource, create the CRUDA permissions, assign them to the right roles, and make the model policy read those same permission names.

Resource Permissions

Resources use CRUDA permission names by default:

MethodPermission
getViewAnyPermissions()view any {resource}
getViewPermissions()view {resource}
getCreatePermissions()create {resource}
getUpdatePermissions()update {resource}
getDeletePermissions()delete {resource}

The {resource} value is the resource name from QoreResource::getName(), such as customers.

Override these methods on the resource when a page should use different permission names:

public function getViewAnyPermissions(): array
{
    return ['view any customers', 'view customer dashboard'];
}

Creating Permissions

Use the permission service in seeders, module enable hooks or app bootstrapping code.

$permissions = qore()->permissions()->cruda('customers');

admin_role()->givePermissions(collect($permissions)->values());

For a custom permission:

$permission = qore()->permissions()->create(
    name: 'export customers',
    category: 'customers',
);

admin_role()->givePermissions(collect([$permission]));

cruda() creates:

  • view any {resource}
  • view {resource}
  • create {resource}
  • update {resource}
  • delete {resource}

Seeders

Seed permissions before assigning them to roles:

use Illuminate\Database\Seeder;

class PermissionSeeder extends Seeder
{
    public function run(): void
    {
        $customers = qore()->permissions()->cruda('customers');
        $export = qore()->permissions()->create('export customers', 'customers');

        admin_role()->givePermissions(
            collect($customers)->values()->push($export)
        );
    }
}

Menu items and sections accept permission names. The frontend receives those permissions in the globals payload and hides items the user cannot access.

$menu->addMenuItem(
    label: __('Customers'),
    url: '/customers',
    permissions: ['view any customers'],
);

When you add a resource with addResourceMenuItem(), Qore uses the resource's getViewAnyPermissions() automatically.

Modules

Modules usually create permissions in onEnable() and remove their permission category in onDisable():

->onEnable(function () {
    $permissions = qore()->permissions()->cruda('notes');

    admin_role()->givePermissions(collect($permissions)->values());
})
->onDisable(function () {
    qore()->permissions()->deleteByCategory('notes');
})