Teams policy or permission policies for restriction per record

[milenmk]

Scenario:

I have set 3 different roles (Project Owner, Team Leader and Team Member) and the appropriate permissions for each role (50 permissions in total)

On the other hand, I have the following models:

1. Client model (belongs to a user, has many projects, has many tasks through projects) In this case, the "user" in question has the role Projet Owner/ My question is NOT related to this role
2. Project (belongs to many users, as there can be 2 project owners; belongs to a client, has many tasks)
3. Task (belongs to the user the task is given to; belongs to the user who created the task; belongs to a project; )

My goal is to have Team Leaders and Team Members on a "Project" basis i.e. on one project user can be a project owner, but on another one can be a team leader or team member thus it will possess different permissions.

That is why I think using the teams option will be the better approach i.e. when creating a project also create a team OR assign the team_id to be the same as the Project ID.

Still, how this can be implemented on a Project ID basis?

As far as I understand, I do not have to create a team i.e. have separate tables for team and team members.

All I have to do is give permission to a user and pass the team_id with it. But then, how can I check if a user has permission?

In Blade, we can use @can('permisson_name') ... @endcan but how to add the team_id to the equation?

Also I'd like to ask is that "team" feature related to the Jetstream teams or is a stand-alone?

[drbyte]

Also I'd like to ask is that "team" feature related to the Jetstream teams or is a stand-alone?

Not related. You could probably specify your Jetstream Team model in config/permissions.php. But you'll need to decide whether/when to use the roles/permissions provided by Jetstream vs those provided by this package.

[drbyte]

All I have to do is give permission to a user and pass the team_id with it. But then, how can I check if a user has permission?
In Blade, we can use @can('permisson_name') ... @endcan but how to add the team_id to the equation?

The way you wrote this question supposes that your UI would be displaying permission-specific things for many teams on one page ... which often is the first way we think of something when brainstorming, but in practice most of the time our UI or even the current state of any call to the application is actually about the current User, and which Team they're on ... and then everything we're displaying doesn't need a bespoke check about the team_id. Thus, this package relies on the globally set team_id at any given moment.

So, when you're displaying something about a particular team, you select that team and tell this package which team_id to scope all its querying to, and then check permissions (without passing a specific team_id, because it's added by the global value for the active team).

A similar process is used when assigning team roles/permissions to a user: set the global team_id first, then grant the roles/permissions.

[drbyte]

That is why I think using the teams option will be the better approach i.e. when creating a project also create a team OR assign the team_id to be the same as the Project ID.

Is there anything stopping your Project from being your Team?

In some applications it makes sense to treat them as the same thing: the people you assign to the project are its "team", and the team is created and disbanded for that project.

But of course in other situations they aren't the same (ie: a "team" might be a department of people, and you're not assigning the whole department to a specific project).

[milenmk]

@drbyte thank you for your comments.

So, basically, it is almost as I thought. Based on your replys:

1. Creating a project will be the equivalent of creating a team.
2. When loading the project, which is a livewire model, in the mount method I can check if the user belongs to the team
3. Then, I just check for the permission he has as usual, that comes from his role.
4. I don't need a separate table to connect the team_id with the user_id, just have to pass the team_id when assigning a user role or permission.
5. Also, in the mount method I have to first clear the team_id of the user, as it can belong to many teams and can have different roles and/or permissions in each one.

I.e. I guess something like that:

public function mount()
{
    $auth()->user()->unsetRelation('roles')->unsetRelation('permissions');
    setPermissionsTeamId('team_id');
}

On the other hand, for easier member management I guess 2 additional tables: one for the team_id and the team owner and another holding the team_id and the member ID will be a good choice, correct?

For example, the Project Owner role will be a global role. Thus, a user with this role will have many projects with many team members. To make it easier to move members between projects or adjust their permissions those 2 tables will come in handy.

However, here comes another issue:

The Team Leader role. A user can be a Team Leader on many projects, be just a member, and even be a Project Owner at some.
Thus, this user should have the ability to see all projects he is the team leader in on one page. In this case, checking/assigning team_id is not useful.