Add Authorization Rules
After this page, you can control who can use a source in preview/export workflows.
Problem
Some sources should be visible only to specific users or roles.
Prerequisites
- Authentication in your Laravel app
- Access to the incoming
Request
Steps
Pass an authorization callback in EloquentDataSource.
php
use Illuminate\Http\Request;
new EloquentDataSource(
key: 'orders',
label: 'Orders',
model: Order::class,
fields: [/* fields */],
authorization: static fn (Request $request): bool => $request->user()?->can('viewReports') ?? false,
);For tenant safety, pair authorization with scope:
php
use Illuminate\Database\Eloquent\Builder;
use Illuminate\Http\Request;
new EloquentDataSource(
key: 'orders',
label: 'Orders',
model: Order::class,
fields: [/* fields */],
scope: static function (Builder $query, Request $request): Builder {
$tenantId = $request->user()?->tenant_id;
if ($tenantId !== null) {
$query->where('orders.tenant_id', $tenantId);
}
return $query;
},
authorization: static fn (Request $request): bool => $request->user()?->can('viewReports') ?? false,
);Verify
- Authorized user can run preview/export with
source_key: orders. - Unauthorized user is blocked in your app layer before or during execution.
Quick verification pattern:
php
use Ihasan\ReportBuilder\DTOs\ReportDefinition;
use Ihasan\ReportBuilder\DTOs\SelectedColumn;
use Ihasan\ReportBuilder\Execution\PreviewRunner;
$result = app(PreviewRunner::class)->preview(new ReportDefinition(
sourceKey: 'orders',
selectedColumns: [new SelectedColumn('status')],
));Run this as two users and confirm row counts differ by tenant scope.
Common mistakes
- Returning
trueby default for all users. - Checking role names directly in many places instead of policies/abilities.
- Applying authorization without row-level scope in multi-tenant apps.