Lomkit · GautierDele · Apr 17, 2025 · Apr 16, 2025 · Apr 16, 2025 · Apr 16, 2025
diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml
@@ -0,0 +1 @@
+github: GautierDele
diff --git a/.github/workflows/packagist-deploy.yml b/.github/workflows/packagist-deploy.yml
@@ -0,0 +1,20 @@
+name: Packagist Deploy
+
+on:
+  release:
+    types: [created]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - uses: actions/checkout@v4
+      - uses: mnavarrocarter/packagist-update@v1.0.0
+        with:
+          username: "GautierDele"
+          api_token: ${{ secrets.PACKAGIST_TOKEN }}
diff --git a/README.md b/README.md
@@ -2,5 +2,69 @@
 
 # Laravel Access Control
 
-# BETA
-Please note that this package is under beta and is not recommended to use for production environment for now. End of beta should be by summer 2024.
+Laravel Access Control allows you to fully secure your application in two key areas: Policies and Queries. Manage everything in one place!
+## Requirements
+
+PHP 8.2+ and Laravel 11+
+
+## Documentation, Installation, and Usage Instructions
+
+See the [documentation](https://laravel-access-control.lomkit.com) for detailed installation and usage instructions.
+
+## What it does
+
+You first need to define the perimeters concerned by your applications.
+
+Create the model control:
+
+```php
+class PostControl extends Control
+{
+    protected function perimeters(): array
+    {
+        return [
+            GlobalPerimeter::new()
+                ->allowed(function (Model $user, string $method) {
+                    return $user->can(sprintf('%s global models', $method));
+                })
+                ->should(function (Model $user, Model $model) {
+                    return true;
+                })
+                ->scoutQuery(function (\Laravel\Scout\Builder $query, Model $user) {
+                    return $query;
+                })
+                ->query(function (Builder $query, Model $user) {
+                    return $query;
+                }),
+            ClientPerimeter::new()
+                ->allowed(function (Model $user, string $method) {
+                    return $user->can(sprintf('%s client models', $method));
+                })
+                ->should(function (Model $user, Model $model) {
+                    return $model->client()->is($user->client);
+                })
+                ->scoutQuery(function (\Laravel\Scout\Builder $query, Model $user) {
+                    return $query->where('client_id', $user->client->getKey());
+                })
+                ->query(function (Builder $query, Model $user) {
+                    return $query->orWhere('client_id', $user->client->getKey());
+                }),
+        // ...
+```
+
+Then setup your policy:
+
+```php
+    class PostPolicy extends ControlledPolicy
+{
+    protected string $model = Post::class;
+}
+```
+
+and you are ready to go !
+
+```php
+App\Models\Post::controlled()->get() // Apply the Control to the query
+
+$user->can('view', App\Models\Post::first()) // Check if the user can view the post according to the policy
+```
diff --git a/src/Controls/Control.php b/src/Controls/Control.php
@@ -49,14 +49,14 @@ protected function perimeters(): array
     public function applies(Model $user, string $method, Model $model): bool
     {
         foreach ($this->perimeters() as $perimeter) {
-            if ($perimeter->applyAllowedCallback($user)) {
+            if ($perimeter->applyAllowedCallback($user, $method)) {
                 // If the model doesn't exists, it means the method is not related to a model
                 // so we don't need to activate the should result since we can't compare an existing model
                 if (!$model->exists) {
                     return true;
                 }
 
-                $should = $perimeter->applyShouldCallback($user, $method, $model);
+                $should = $perimeter->applyShouldCallback($user, $model);
 
                 if (!$perimeter->overlays() || $should) {
                     return $should;
@@ -118,7 +118,7 @@ protected function applyQueryControl(Builder $query, Model $user): Builder
         };
 
         foreach ($this->perimeters() as $perimeter) {
-            if ($perimeter->applyAllowedCallback($user)) {
+            if ($perimeter->applyAllowedCallback($user, 'view')) {
                 $query = $perimeter->applyQueryCallback($query, $user);
 
                 $noResultCallback = function ($query) {return $query; };
@@ -147,7 +147,7 @@ protected function applyScoutQueryControl(\Laravel\Scout\Builder $query, Model $
         };
 
         foreach ($this->perimeters() as $perimeter) {
-            if ($perimeter->applyAllowedCallback($user)) {
+            if ($perimeter->applyAllowedCallback($user, 'view')) {
                 $query = $perimeter->applyScoutQueryCallback($query, $user);
 
                 $noResultCallback = function ($query) {return $query; };

diff --git a/src/Perimeters/Perimeter.php b/src/Perimeters/Perimeter.php
@@ -22,8 +22,8 @@ public function __construct()
         // Default implementations that can be overridden
         $this->scoutQueryCallback = function (\Laravel\Scout\Builder $query, Model $user) { return $query; };
         $this->queryCallback = function (Builder $query, Model $user) { return $query; };
-        $this->shouldCallback = function (Model $user, string $method, Model $model) { return true; };
-        $this->allowedCallback = function (Model $user) { return true; };
+        $this->shouldCallback = function (Model $user, Model $model) { return true; };
+        $this->allowedCallback = function (Model $user, string $method) { return true; };
     }
 
     /**
@@ -35,9 +35,9 @@ public function __construct()
      *
      * @return bool True if the condition applies; false otherwise.
      */
-    public function applyShouldCallback(Model $user, string $method, Model $model): bool
+    public function applyShouldCallback(Model $user, Model $model): bool
     {
-        return ($this->shouldCallback)($user, $method, $model);
+        return ($this->shouldCallback)($user, $model);
     }
 
     /**
@@ -73,9 +73,9 @@ public function applyQueryCallback(Builder $query, Model $user): Builder
      *
      * @return bool True if the user is allowed; false otherwise.
      */
-    public function applyAllowedCallback(Model $user): bool
+    public function applyAllowedCallback(Model $user, string $method): bool
     {
-        return ($this->allowedCallback)($user);
+        return ($this->allowedCallback)($user, $method);
     }
 
     /**

diff --git a/tests/Feature/ControlsQueryTest.php b/tests/Feature/ControlsQueryTest.php
@@ -3,7 +3,9 @@
 namespace Lomkit\Access\Tests\Feature;
 
 use Illuminate\Support\Facades\Auth;
+use Illuminate\Support\Facades\Gate;
 use Lomkit\Access\Tests\Support\Models\Model;
+use Lomkit\Access\Tests\Support\Models\User;
 
 class ControlsQueryTest extends \Lomkit\Access\Tests\Feature\TestCase
 {
@@ -21,13 +23,15 @@ public function test_control_with_no_perimeter_passing(): void
 
     public function test_control_queried_using_client_perimeter(): void
     {
-        Auth::user()->update(['should_client' => true]);
+        Gate::define('view client models', function (User $user) {
+            return true;
+        });
 
         Model::factory()
             ->count(50)
             ->create();
         Model::factory()
-            ->state(['is_client' => true])
+            ->clientPerimeter()
             ->count(50)
             ->create();
 
@@ -39,18 +43,22 @@ public function test_control_queried_using_client_perimeter(): void
 
     public function test_control_queried_using_shared_overlayed_perimeter(): void
     {
-        Auth::user()->update(['should_shared' => true]);
-        Auth::user()->update(['should_client' => true]);
+        Gate::define('view client models', function (User $user) {
+            return true;
+        });
+        Gate::define('view shared models', function (User $user) {
+            return true;
+        });
 
         Model::factory()
             ->count(50)
             ->create();
         Model::factory()
-            ->state(['is_shared' => true])
+            ->sharedPerimeter()
             ->count(50)
             ->create();
         Model::factory()
-            ->state(['is_client' => true])
+            ->clientPerimeter()
             ->count(50)
             ->create();
 
@@ -62,19 +70,23 @@ public function test_control_queried_using_shared_overlayed_perimeter(): void
 
     public function test_control_queried_using_shared_overlayed_perimeter_with_distant_perimeter(): void
     {
-        Auth::user()->update(['should_shared' => true]);
-        Auth::user()->update(['should_own' => true]);
+        Gate::define('view shared models', function (User $user) {
+            return true;
+        });
+        Gate::define('view own models', function (User $user) {
+            return true;
+        });
 
         Model::factory()
-            ->state(['is_client' => true])
+            ->clientPerimeter()
             ->count(50)
             ->create();
         Model::factory()
-            ->state(['is_shared' => true])
+            ->sharedPerimeter()
             ->count(50)
             ->create();
         Model::factory()
-            ->state(['is_own' => true])
+            ->ownPerimeter()
             ->count(50)
             ->create();
 
@@ -86,18 +98,20 @@ public function test_control_queried_using_shared_overlayed_perimeter_with_dista
 
     public function test_control_queried_using_only_shared_overlayed_perimeter(): void
     {
-        Auth::user()->update(['should_shared' => true]);
+        Gate::define('view shared models', function (User $user) {
+            return true;
+        });
 
         Model::factory()
-            ->state(['is_client' => true])
+            ->clientPerimeter()
             ->count(50)
             ->create();
         Model::factory()
-            ->state(['is_shared' => true])
+            ->sharedPerimeter()
             ->count(50)
             ->create();
         Model::factory()
-            ->state(['is_own' => true])
+            ->ownPerimeter()
             ->count(50)
             ->create();
 
@@ -109,23 +123,28 @@ public function test_control_queried_using_only_shared_overlayed_perimeter(): vo
 
     public function test_control_queried_isolated(): void
     {
-        Auth::user()->update(['should_shared' => true]);
-        Auth::user()->update(['should_own' => true]);
+        Gate::define('view shared models', function (User $user) {
+            return true;
+        });
+        Gate::define('view own models', function (User $user) {
+            return true;
+        });
 
         Model::factory()
-            ->state(['is_client' => true])
+            ->clientPerimeter()
             ->count(50)
             ->create();
         Model::factory()
-            ->state(['is_shared' => true, 'is_client' => true])
+            ->clientPerimeter()
+            ->sharedPerimeter()
             ->count(50)
             ->create();
         Model::factory()
-            ->state(['is_own' => true])
+            ->ownPerimeter()
             ->count(50)
             ->create();
 
-        $query = Model::query()->where('is_client', true);
+        $query = Model::query()->where('client_id', Auth::user()->client->getKey());
         $query = (new \Lomkit\Access\Tests\Support\Access\Controls\ModelControl())->queried($query, Auth::user());
 
         $this->assertEquals(50, $query->count());
@@ -135,23 +154,28 @@ public function test_control_queried_not_isolated(): void
     {
         config(['access-control.queries.isolated' => false]);
 
-        Auth::user()->update(['should_shared' => true]);
-        Auth::user()->update(['should_own' => true]);
+        Gate::define('view shared models', function (User $user) {
+            return true;
+        });
+        Gate::define('view own models', function (User $user) {
+            return true;
+        });
 
         Model::factory()
-            ->state(['is_client' => true])
+            ->clientPerimeter()
             ->count(50)
             ->create();
         Model::factory()
-            ->state(['is_shared' => true, 'is_client' => true])
+            ->clientPerimeter()
+            ->sharedPerimeter()
             ->count(50)
             ->create();
         Model::factory()
-            ->state(['is_own' => true])
+            ->ownPerimeter()
             ->count(50)
             ->create();
 
-        $query = Model::query()->where('is_client', true);
+        $query = Model::query()->where('client_id', Auth::user()->client->getKey());
         $query = (new \Lomkit\Access\Tests\Support\Access\Controls\ModelControl())->queried($query, Auth::user());
 
         $this->assertEquals(150, $query->count());