Call Policy / Gate, if available, even if ability granted

[garygreen]

In our system, admins have access to do everything:

Bouncer::allow('admin')->everything();

We have a user messaging system and use a MessagePolicy class to check if you are allowed to send a message to a user. In our case, we don't need the "everything" ability to grant access, even though they are an admin - we want the MessagePolicy to always fire but bouncer automatically intersects Gate::authorize('send', $message) with Bouncer granted permission via ability #18 [all abilities]

Would it be possible to have a way of telling bouncer to ignore certain abilities for one check, maybe a closure?

Bouncer::ignore('*', function() {
    Gate::authorize('send', $message); // MessagePolicy will be checked and the absolute source of truth.
});

[garygreen]

More info related to this - let's say you had a general permission:

Gate::authorize('send', $message);

Bouncer transpiles this down to these ability checks:

Collection {#1074 ?
  #items: array:4 [?
    0 => "send-message"
    1 => "send-*"
    2 => "*-message"
    3 => "*-*"
  ]
}

If you had an ability "send-message" granted for a user, again Bouncer will intersect it when you call Gate::authorize() and will automatically grant access, skipping the Policy checker class. This is a major problem for us, as we would like to have more dynamic / final checks in the policy class. Take for example our MessagePolicy class:

<?php

namespace App\Policies;

use Message;
use App\Member\Member;

class MessagePolicy
{
    /**
     * Determine if user can send a message to the given member.
     *
     * @param Member $member
     * @param Message $message
     *
     * @return string|null
     */
    public function send(Member $member, Message $message)
    {
        $fromMember = $member;
        $toMember = $message->member2;

        // Don't allow sending message to self.
        if ($fromMember->getKey() == $toMember->getKey()) {
            return $this->deny('You cannot send a message to yourself.');
        }

        $memberRepository = app('App\Member\MemberRepository');

        // Determine if the member has blocked the member
        $blocked1 = $memberRepository->isBlocked($toMember, $fromMember->getKey());
        $blocked2 = $memberRepository->isBlocked($fromMember, $toMember->getKey());

        if (! $toMember->exists) {
            return $this->deny('Member has deleted their account.');
        }

        if ($blocked1) {
            return $this->deny('You have been blocked.');
        }

        if ($blocked2) {
            return $this->deny('You have blocked them.');
        }

        if ($member->banned) {
            return $this->deny('Member is banned.');
        }

        if ($member->deactivated) {
            return $this->deny('Member is deactivated');
        }

        return true;
    }
}

Notice all the additional dynamic checks? It's critical they all fire, even though they have the "general" ability to send-message, it's dependant ultimately on other circumstances as well.

If to fix this it will mean having to skip the automatic bouncer checks in Gate and have to do it manually then that's fine with us, that's how we're use to using other permission based systems anyway:

Bouncer::disableGate();

// or maybe a config option:
'gate' => false,

public function send(Member $member, Message $message)
{
	if (! Bouncer::can('send-message')) {
		return false;
	}

[garygreen]

Sorry for so many comments on this but been doing some more thinking. If you disabled the Gate integration completely that would be quite annoying as you would have to add a policy class for every permission check even if you just want a basic named permission.

@can('see-dashboard')

Maybe Bouncer could provide a basic Policy class that is used by default, or a custom one if found for given permission check?

Basically I think the process when checking for an ability in Bouncer should be:

Have they got the named ability "send-message"
    Yes - Is there a dynamic policy class checker with additional checks?
             Yes - Pass thru to Policy check to do final checks
             No - Grant access
    No - Deny access

[JosephSilber]

There's a lot to unpack here, and I'm not sure I follow everything you said there (bit of information overload). Let's take it one step at a time:

1. we don't need [want] the "everything" ability to grant access, even though they are an admin - we want the MessagePolicy to always fire

   If I understand this correctly, you're saying you've allowed the user everything, but the messaging is an exception.

   Well, that's what forbid is for. It lets you forbid certain abilities even if it were granted by a different ability.

   There is however one catch: while an ability that hasn't been granted returns null to the gate, which makes it check your policies, a forbidden ability returns false, which immediately denies the authorization check. This is in place so that people could e.g. ban users using $user->forbid()->everything(), and be confident that no authorization check goes through.

   bouncer/src/Clipboard.php

   Lines 37 to 40 in 577d189

   	// If the response from "checkGetId" is "false", then this ability
   	// has been explicity forbidden. We'll return false so the gate
   	// doesn't run any further checks. Otherwise we return null.
   	return $id;

   In your case, it seems you'd want to change that. The only way to currently do that is to create your own clipboard instance, override the registerAt method and remove that last line:

   use Silber\Bouncer\CachedClipboard;
   
   class MyClipboard extends CachedClipboard
   {
       public function registerAt(Gate $gate)
       {
           $gate->before(function ($authority, $ability, $arguments = [], $additional = null) 
           {
               list($model, $additional) = $this->parseGateArguments($arguments, $additional);
   
               if (! is_null($additional)) return;
   
               if ($id = $this->checkGetId($authority, $ability, $model)) {
                   return $this->allow('Bouncer granted permission via ability #'.$id);
               }
           });
       }
   }

   Then register your clipboard with Laravel's container in one of your service providers:

   use Silber\Bouncer\Clipboard;
   
   $this->app->singleton(Clipboard::class, function () {
       return new MyClipboard(new ArrayStore);
   });

2. Dynamic policy checks

   Again, you could probably add this to your own clipboard instance, with something like this:

   public function registerAt(Gate $gate)
   {
       $gate->before(function ($authority, $ability, $arguments = []) {
           if ($this->checkingAtGate) return null;
   
           $gateResult = $this->getGateResult($ability, $arguments);
   
           if (! is_null($gateResult)) {
               return $gateResult;
           }
   
           // the rest of the method...
       });
   }
   
   protected function getGateResult($ability, $arguments)
   {
       $this->checkingAtGate = true;
   
       try {
           return Gate::raw($ability, $arguments);            
       } finally {
           $this->checkingAtGate = false;
       }
   }

   This doesn't really make sense in Bouncer core, since there are quite a few different ways to handle it, and I've chosen the one I've chosen. But if this particular system works for your app, you should probably be able to get something working with code similar to this.

[garygreen]

Thank you for the detailed response.

The forbid method doesn't seem like the correct option here but your second option of overriding the clipboard with some kind of checkingAtGate switch could work.

This discussion has a lot to unraval, as you say, so I'll summarise it as basically this:

Gate::authorize('send', $message);

Bouncer: Yep, user has access to do that ability, grant access.
Gate: Errrr... Hello? I have a policy checker for that permission.
      Let's not rush and say yes just yet, there's additional things I would like to check.
Bouncer: Don't care. I've already granted permission.

Interestingly, it looks like I'm not the only one with this problem, take a look at this fork and commit: pdewit@24d7bfd

Sometimes you want the policy checker to do the checking rather than Bouncer taking over everything.

cc @pdewit

[pdewit]

Hi @garygreen, it's been a while since I made that commit and I have not extensively read your post but I believe I made that change because my own defined policies/gate rules were skipped because of Bouncer being active even though they had very different names.

So if I had a self defined Gate policy called send-message (that didn't exist at all within Bouncer) it would still deny it because the user didn't have that right in the database.

Soon after I switched to something I made myself to better fit the project so I didn't spend a lot of time looking into the problem.

[JosephSilber]

So if I had a self defined Gate policy called send-message (that didn't exist at all within Bouncer) it would still deny it because the user didn't have that right in the database.

That doesn't sound right. If Bouncer doesn't have any information on a given ability, it returns null to the gate, in which case the gate will defer to its policies.

Interestingly, it looks like I'm not the only one with this problem, take a look at this fork and commit: pdewit@24d7bfd

Contrary to what you're asking, that commit actually says "even if Bouncer does know about this ability and it has been allowed, defer to the gate if it has something to say about it (though excludes policies for some reason)". I don't really understand where that would be useful. Like I said before: there are quite a few different ways to handle it.

[garygreen]

I don't really understand where that would be useful

See above example MessagePolicy, you do ADDITIONAL dynamic checks - performing a simple yes/no isn't always a solution to checking named permissions, that's the purpose of policies - to perform more complex dynamic checks. This isn't too much of a problem if you name your abilities differently so bouncer doesn't intersect, but it is definitely a problem for the ->everything() ability as there's no way around that, currently.

It's easiest enough to create your own Clipboard and override the method, but it would be nice if this use case was built into Bouncer.

I took a look at another permissions package spatie/laravel-permission and there's been a request there to do the same sort of thing - take a look at this comment: spatie/laravel-permission#578 (comment)

[JosephSilber]

See above example MessagePolicy, you do ADDITIONAL dynamic checks

I still don't follow. In the linked fork, if the gate has anything to say about this ability, the bouncer is not consulted at all.

This makes no sense to me. If you don't want Bouncer to interfere with a given ability, then simply don't register that ability with Bouncer.

[garygreen]

If you don't want Bouncer to interfere with a given ability, then simply don't register that ability with Bouncer.

As I said, it's easier enough to name permissions differently so bouncer is not consulted - but that doesn't work with ->everything(), bouncer will always consulted and there's currently no way around that (except for a custom Clipboard).

I'll just register a custom Clipboard as it doesn't look like this use case is something your open to doing in the core.

[garygreen]

I still don't follow. In the linked fork, if the gate has anything to say about this ability, the bouncer is not consulted at all.

The current clipboard uses ->before() method, that means it fires BEFORE the gate policy is checked, right? I could understand if it was ->after(), but then you can't modify the permission at that point anyway.

[pdewit]

This makes no sense to me. If you don't want Bouncer to interfere with a given ability, then simply don't register that ability with Bouncer.

This is what I was trying to do when I made the fork, but Bouncer was still interfering (I don't remember the specifics of why and what). Instead of trying to fix the issue I just made this hacky fix to play around with. I wouldn't pay too much attention to my fork, it has never been used in anything beyond prototyping.

[JosephSilber]

I could understand if it was ->after(), but then you can't modify the permission at that point anyway.

I've actually asked Taylor a while ago why the after hook doesn't let you grant abilities. He said he hasn't found a use-case 🤷‍♂️

I'll just register a custom Clipboard as it doesn't look like this use case is something your open to doing in the core.

I'm definitely open to doing it in core, if I can understand the use-cases around it. I think that for someone who needs this, doing it outside of core gets pretty messy.

Can you please outline, in a concise manner, what your use-case is?