Merge pull request #339 from laravel-filament/fix/page-authorization-…

…with-record fix: Page authorization with record
filamentphp · Apr 11, 2021 · 7fe228a · 7fe228a
2 parents 4a01dd8 + caa3ff0
commit 7fe228a
Show file tree

Hide file tree

Showing 5 changed files with 28 additions and 14 deletions.
diff --git a/src/Pages/Page.php b/src/Pages/Page.php
@@ -22,13 +22,6 @@ class Page extends Component
 
     public static $view;
 
-    public function __invoke(Container $container, \Illuminate\Routing\Route $route)
-    {
-        abort_unless($this->isAuthorized(), 403);
-
-        return parent::__invoke($container, $route);
-    }
-
     public static function authorization()
     {
         return [];
@@ -95,6 +88,11 @@ public function isAuthorized()
         return Filament::can('view', static::class);
     }
 
+    protected function abortIfForbidden()
+    {
+        abort_unless($this->isAuthorized(), 403);
+    }
+
     public static function navigationItems()
     {
         return [

diff --git a/src/Resources/Pages/CreateRecord.php b/src/Resources/Pages/CreateRecord.php
@@ -74,6 +74,8 @@ public function isAuthorized()
     public function mount()
     {
         $this->fillRecord();
+
+        $this->abortIfForbidden();
     }
 
     protected function actions()

diff --git a/src/Resources/Pages/EditRecord.php b/src/Resources/Pages/EditRecord.php
@@ -68,6 +68,8 @@ public function isAuthorized()
     public function mount($record)
     {
         $this->fillRecord($record);
+
+        $this->abortIfForbidden();
     }
 
     public function save()
@@ -102,19 +104,26 @@ protected function actions()
         ];
     }
 
-    protected function fillRecord($record)
+    protected function fillRecord($key)
     {
         $this->callHook('beforeFill');
 
+        $this->record = $this->resolveRecord($key);
+
+        $this->callHook('afterFill');
+    }
+
+    protected function resolveRecord($key)
+    {
         $model = static::getModel();
 
-        $this->record = (new $model())->resolveRouteBinding($record);
+        $record = (new $model())->resolveRouteBinding($key);
 
-        if ($this->record === null) {
-            throw (new ModelNotFoundException())->setModel($model, [$record]);
+        if ($record === null) {
+            throw (new ModelNotFoundException())->setModel($model, [$key]);
         }
 
-        $this->callHook('afterFill');
+        return $record;
     }
 
     protected function form(Form $form)

diff --git a/src/Resources/Pages/ListRecords.php b/src/Resources/Pages/ListRecords.php
@@ -107,4 +107,9 @@ protected function viewData()
             'records' => $this->getRecords(),
         ];
     }
+
+    public function mount()
+    {
+        $this->abortIfForbidden();
+    }
 }
diff --git a/src/Resources/RelationManager/EditRecord.php b/src/Resources/RelationManager/EditRecord.php
@@ -85,15 +85,15 @@ public function save()
         $this->record = [];
     }
 
-    public function switchRecord($manager, $record)
+    public function switchRecord($manager, $recordKey)
     {
         if ($manager !== $this->manager) {
             return;
         }
 
         $this->callHook('beforeFill');
 
-        $this->record = $this->getQuery()->find($record);
+        $this->record = $this->getQuery()->find($recordKey);
         $this->resetTemporaryUploadedFiles();
 
         $this->callHook('afterFill');