Add Authorization Rules

After this page, you can control who can see a source in the metadata API.

Problem

Some sources should be visible only to specific users or roles.

Prerequisites

Authentication in your Laravel app
Access to the incoming Request

Steps

Pass an authorization callback in EloquentDataSource:

php

new EloquentDataSource(
    key: 'orders',
    label: 'Orders',
    model: Order::class,
    fields: [/* fields */],
    authorization: static fn ($request): bool => $request->user()?->can('viewReports') ?? false,
);

Verify

Authorized user: GET /report-builder/sources/orders returns 200.
Unauthorized user: same endpoint returns 403.

Common mistakes

Returning true by default for all users.
Checking role names directly in many places instead of policies/abilities.
Forgetting that unauthorized sources should also be hidden from listing UX.

Add Authorization Rules ​

Problem ​

Prerequisites ​

Steps ​

Verify ​

Common mistakes ​

Add Authorization Rules

Problem

Prerequisites

Steps

Verify

Common mistakes