An example of permission checking on a specific instance(s)

[cegrif01]

Consider the following url:
/users/1/tasks/2

I want to ensure that only the user with an id of 1 can get to their specific task.

I would also like to have a super admin (let's say that user as an id of 8) be able to access both

/users/8/tasks/4
and
/users/1/tasks/2

The super admin can access any task. Standard users that go to a task that isn't their own will get denied.

Is there a fetchOwn('tasks') method or a similar way to implement the example above?

[sagikazarmark]

Not sure if I am right about that, but you can also set permissions for not just a type of resource, but a specific one with an id as well. You can create a task resource locally and pass the caller's id to it. This way the resource will always have the caller's id which is what you want. However I don't know if the super user permission has a higher order of precedence or not.

[cegrif01]

As I was working with Lock today, I realized I was misunderstanding how it worked when I wrote this issue.

Correct me if I'm wrong in my assumptions:

• When using the database driver, the permissions are written to the database based on what we allow in the UserManager class (used in the readme).
• Then we can use Lock::can() to hit the lock_permissions table and check if a user is allowed to perform a certain action. The data that was just written in the previous step is now used to perform the checks underneath the Lock::can() abstraction.
• There's no end to the number of combinations and hierarchies I can build

The lack of restrictions really threw me off at first! It's so simple to build out very complex authentication structures. The more I learn how Lock works, the more impressed I am with it. I'm working on a test project to really understand the ins and outs. I will keep you posted with feedback if I find anything worth reporting on. Thank you for developing this.