Skip to content

Add Authorization Rules

After this page, you can control who can use a source in preview/export workflows.

Problem

Some sources should be visible only to specific users or roles.

Prerequisites

  • Authentication in your Laravel app
  • Access to the incoming Request

Steps

Pass an authorization callback in EloquentDataSource.

php
use Illuminate\Http\Request;

new EloquentDataSource(
    key: 'orders',
    label: 'Orders',
    model: Order::class,
    fields: [/* fields */],
    authorization: static fn (Request $request): bool => $request->user()?->can('viewReports') ?? false,
);

For tenant safety, pair authorization with scope:

php
use Illuminate\Database\Eloquent\Builder;
use Illuminate\Http\Request;

new EloquentDataSource(
    key: 'orders',
    label: 'Orders',
    model: Order::class,
    fields: [/* fields */],
    scope: static function (Builder $query, Request $request): Builder {
        $tenantId = $request->user()?->tenant_id;

        if ($tenantId !== null) {
            $query->where('orders.tenant_id', $tenantId);
        }

        return $query;
    },
    authorization: static fn (Request $request): bool => $request->user()?->can('viewReports') ?? false,
);

Verify

  • Authorized user can run preview/export with source_key: orders.
  • Unauthorized user is blocked in your app layer before or during execution.

Quick verification pattern:

php
use Ihasan\ReportBuilder\DTOs\ReportDefinition;
use Ihasan\ReportBuilder\DTOs\SelectedColumn;
use Ihasan\ReportBuilder\Execution\PreviewRunner;

$result = app(PreviewRunner::class)->preview(new ReportDefinition(
    sourceKey: 'orders',
    selectedColumns: [new SelectedColumn('status')],
));

Run this as two users and confirm row counts differ by tenant scope.

Common mistakes

  • Returning true by default for all users.
  • Checking role names directly in many places instead of policies/abilities.
  • Applying authorization without row-level scope in multi-tenant apps.