Allow indexQuery to respect view policy

[NorthNick]

A resource's indexQuery currently ignores any policy view constraints, as documented here. This leads to significant code duplication for more security-conscious applications, as they have to implement a policy view function for each resource to restrict access and then implement the same logic again in the resource's indexQuery (as any logged in user can issue an http://.../nova-api/some-resource query to get the resource index). The access code cannot be shared, as the policy applies the logic to objects, while the indexQuery applies it to an Eloquent query. This means significant logic duplication, and the potential for inconsistencies and errors.

I would personally prefer the indexQuery to apply the view policy and only return permitted results. However there may be good reasons why it doesn't, and it would be a breaking change to existing code. So I suggest that there be a boolean variable in the Resource class which determines whether the indexQuery respects the view policy or not, and that the variable defaults to false. This would allow existing code to continue working while giving the opportunity for developers to centralise access controls if they want to.

[crynobone]

You're linking to Laravel Nova 1 documentation. However, indexQuery() is used to code the query while the view policy can only be executed after the models have been hydrated. On paginated results, this will generate inconsistent results where some pages will have 0 results while others may contain some results.

[NorthNick]

Good point about the documentation, but the behaviour is still as described there even if it's no longer written down. Thanks also for explaining about pagination but, for me, having to implement access controls twice in slightly different ways outweighs that. If Nova had the suggested flag, then developers could choose whether they prefer centralised security or consistent pagination and the fact that there is a choice would be explicit.

If you decide against the flag, can I at least suggest that the old documentation be reinstated so that people are aware that there is a hole in the access control mechanism?

[crynobone]

Feel free to suggest changes to the documentation:https://github.com/laravel/nova-docs

[NorthNick]

Sorry - my mistake: the documentation is still in place so no changes needed there.

But my first suggestion still stands: having to implement access controls twice feels very wrong.

[crynobone]

It's impossible to merge the two, without heavy performance penalty.

[NorthNick]

In that case maybe someone can help me out. What is the recommended approach for Nova resources whose access control involves something that cannot be implemented in the query builder, like polymorphic relationships or complex code decisions? How do you create an indexQuery that gives the right set of results?