Laracon, controller middleware, and permissions - podcast episode cover

Laracon, controller middleware, and permissions

North Meets South Web Podcast
Jul 11, 202551 minEp. 179
--:--
--:--
Listen in podcast apps:
Apple Podcasts
Spotify
Download
YouTube
Overcast
Pocket Casts
Episodes.fm
Download Metacast podcast app
Listen to this episode in Metacast mobile app
Don't just listen to podcasts. Learn from them with transcripts, summaries, and chapters for every episode. Skim, search, and bookmark insights. Learn more

Episode description

In this episode, Michael and Jake kick things off with some Laracon travel talk, sharing their hotel plans, coffee quests, and even jokes about pillow fights at the conference hotel. Michael reveals his precise coffee scouting for the Vib by Best Western hotel, determined not to survive three days on Starbucks alone.

  • Should you define middleware in a controller’s constructor?
    Michael explains why he avoids it - preferring to keep all middleware in route definitions for better visibility and maintainability. Jake explores the pros and cons and why he’s still tempted to use it for certain edge cases.
  • Dynamic permissions vs. static definitions:
    We switch gears to talk about the balance between flexibility and clarity when defining permissions for applications, especially when it comes to handling user roles, teams, and complex business rules.

Mentioned in this episode:

  • Laracon US travel plans
  • Vib by Best Western (the hotel coffee and tacos!)
  • Laravel middleware usage
  • Permission handling in apps
  • Travel gear for developers on the go

Transcript

-Hey, this is Michael Dyrynda. -And this is Jake Bennett. And welcome to Episode 179 of the North Meet South Web Podcast. I thought it was 180. 179, huh? Yeah. -179, okay. Well, hey- -Next- next- next week, we'll get to 180. 179 it is, folks. Um, it is post July 4th, and I'm still sort of hanging on to the mustache thing here- -It's fine -... a little bit. I can- I can... Look, the goatie, th- -the dirty goatie I can live with. -It- it's okay.

The mustache... -I'm gonna shave it all off for- for- -Maybe, maybe ... Laracon again. And now you're just gonna have to live with, uh, Jake with the mustache. Um, no, I'm not actually not gonna do that. I'm gonna- I'm gonna- I'm gonna just put it all back to how it- how it should normally be. Um, but in other news- -I was just- -We- we are actually staying at the same hotel. -I'm pretty stoked. -Yes, finally. -Finally, yes. -That- that worked out well in the end.

-It did end up working out well. -Worked out well in the end because I said back in February, like, "I've bo- bought my ticket, I've booked my -accommodation-" -Yep, yep. "... this is the closest hotel." And it ended up- ended up- ended up being one of -the- -Yeah, the conference, yeah ... the official, I guess, conference hotels. And so by the time you booked, three weeks before the event- Yeah. -You're like, "There's no rooms anywhere." -Yeah, you were like, oh-

-I wonder why, you know? -Right, yeah. And so they ended up opening -up, and, uh, yep. -1,200 people- -So- -1,200 people coming in. Yeah, so that -worked out. -It's gonna be awesome. I'm so excited. We can do, like, pillow fights middle of the night, just like- -Pillow fights. -Yep. -Yeah, yep. -Just gonna find out whose room is it. We gotta have- have so many people there. Knock on the doors and just hit people -with pillows. It's gonna be good times. -It's gonna be a bit like that. It's, um...

Yeah, I looked, 'cause I, um, I messaged Matt, Matt Stouffer, and I said, "What are we doing for coffee?" Because I know it's only three days, but I can't drink -Starbucks for three days. -Yep. -Like, that's not an option. -Yep, yep. I need good coffee. It turns out... Now, whether or not it is good is to be seen, but it turns out that in that hotel, in the Vib by Best Western, for those of you who are staying there, there is a coffee, there's, like, a cafe-

-Nice. Okay, okay -... downstairs in the hotel. So it- it has, like, a four-and-a-half star rating, so I'm hoping- -Sweet -... that that's good enough. -That'll be good. -There is also, for those of you staying there, a taqueria downstairs. So tacos and coffee, we should be sorted. Sounds amazing. Yeah, I'm- I'm really excited. It looks like a really nice hotel -as well. Um, like you said- -Mm-hmm ... it's like, I think the closest hotel to the venue of the ones that there are -on- -Yeah

-... that are on there. So, um- -Mm-hmm ... yeah, it's- it's gonna be amazing. I'm so excited. I cannot wait. I'm flying in Monday, leaving Thursday evening. So if any of you have no plans for Thursday, meaning you've stayed Wednesday, you did the afterparty on Wednesday, you slept in on Thursday, and now it's Thursday afternoon and you're looking for something to do, hit me up on Telegram. I'd love to hang out because Michael will probably be gone by then. Michael, will you be out by then?

-Yeah. -Yeah, so I'll be leaving at 5:30- -Yeah, we- we get in at, like, 3:00 -... which means I'll have a bit of time -for lunch. -Yeah. I'll be able to... I'll be free for lunch if anybody wants to hang out. -Yeah, we get in at 3:00-ish on- -Monday, yep ... Monday, Aaron and I. And then, we were supposed to leave at 6:00 or something -like that, 6:00 PM on Thursday. -Yeah. But our flight got pulled back to 11:00 AM.

-Ah. -So we're probably gonna be at the airport at, like, I don't know, 8:00, just to be safe. -Yeah. -Just who knows? Yeah, we can catch coffee. You and I can catch coffee.

Although I saw recently... Yeah, yeah, we'll be all right. We'll- the- we'll have plenty of opportunities to- to see each other over the- the three days- -For sure -... that- that we're there, but yeah, I am... I saw- I saw on the news or something, there was an article the other day that, like, tourism is way down for Australians into -the US at the moment, like 12 or 15%- -Wow, that's crazy -... on what they were expecting normally. -Yeah.

So I'm- I'm hoping that we have, like, a lo- although these- these flights that we bought were on sale, so they're sale dates, so I suspect that maybe they will be booked-booked. But it'd be nice to see if there's a bit of, uh, -bit of space on the plane actually. -Some extra legroom. Yeah, for sure. -Yeah. -I actually- -We'll see what happens -... there was a lady sitting in my seat on the last flight I was on.

And I didn't bother her 'cause, like, it doesn't matter, there's extra seats. And so I told the attendant, I was like, "Do you mind if I sit in another seat?" And she's like, "Yeah, that's fine." I said, "Why- why don't I just go sit in first class, it's like it's enough, should I sit up there?" She was like, "It's fine with me." She's like, "But let me check." And so she checked and the lady up front was like, "No". I was like, "Come on", so I just took an exit seat. It was fine.

-Ah, you tried. -I did try. She was almost, I mean, almost -had her. -You tried. -Yep. I was almost there. -Almost. Almost there. Almost got it. Yeah, we- we definitely for the long haul flights, the, uh, Sydney to Dallas and then the LA to Melbourne on the way back, we- -we went for exit seats. -Nice, there you go. -Aaron and I just- -Yeah, some extra room.

Um, and hopefully these are good exit seats because the last time I was coming back from the US, I went thinking that it'd be good to sit in the, like, the- the bulkhead row- -Yeah -... behind the- the bathrooms. -Yeah. -Terrible idea. Don't ever do that. Because -number one, the armrests- -Oh, no. Like, the armrests are fixed, so you can't move them. So I had, like... I was

uncomfortable the whole time. And you think because you're at the bulkhead, there's a bit more room, and there is physically a bit more room to stretch your legs out. But the problem is people walk past there to go- -Oh, God. -... to the bathroom from the bathroom. So yeah, no good. So we are on the... We're by the galley, um, on the exit- exit row this time, and to, like, the- the- the left of the plane.

So hopefully that'll be a better seat. But I didn't... I looked at even premium c- premium economy was like $6,000 return or something like that. -My gosh. -I said, "Nah. Not." -Hey, okay, I've got one- -No thank you, not for me ... one quick tip for you here -for sleeping on planes. -Mm-hmm. Okay? There is this amazing product called the Sleeper Hold. -Sleeper Hold. Is- -Right. -No, seriously. It was invented by an- -Nonsense -... an MMA guy, a UFC fighter- -Mm-hmm

... who had to go on flights and trips and stuff like that all the time. And he was, like, sick of, like, not being able to sleep well on these- on these trips. -Mm-hmm. -So he invented this thing called the Sleeper Hold. Now, I got one at a conference. I was like, "What is this nonsense?"Oh, my gosh. I will never travel without it again. It is amazing, and you can actually sleep well on flights or on buses or on- -Right -... on anything like that- ... that has,

like a rest... Like, a seat behind you. It is incredible. So if you... I mean, because you're gonna be on these insane flights, you know, you're gonna be hitting 14 and a half hour time difference jet lag thing, I would suggest snapping one of these up. Now, they're not inexpensive, but they are amazing, amazing. And so, um, check it out. Sleeper- Oh, the travel pillow. Right, right, right, right.

Sleeper Hold. Yeah, yeah. It's a s- it's a no- -When you say sleeper hold- -And I know, and I know, it's- it's not, -you know, it's not just a travel pillow. -Yeah. -It's- it's- it's a little bit different. -Yeah, yeah, yeah. They've got some really good marketing as well, but I've actually used it and the marketing holds up. The hype holds up. It's really good. So for any of you listening who are gonna be going to Laracon, grab a Sleeper Hold. Tell them

Jake sent you, there's no referral code or anything. Sorry, otherwise I would give it to you. But, uh, they're pretty sweet. Pretty sweet. So... Right. So this thing, you strap to the... You strap to the seat, and it kind of holds your head so your face doesn't flop forward. That's right. Yeah, so you have a little neck thing that- -Yeah, cool -... goes behind, just behind the- the, like, the little dip in your neck, in the back of your neck. You just put the pillow -there- -Mm-hmm

... and then there is a strap that goes around the back of the seat. And then there's like a eye mask that kind of goes over the front of your eyes and holds your head in place up against the back of the seat. And you don't, you know- -Yeah, right -... those neck cushions, they don't actually hold your head up, so you- you kind of, you have to try- -Yeah, yeah, yeah -... lean your head back. It doesn't work very well. This works amazingly, and I have slept like a baby on flights with

-this thing. So, highly suggest it. -I'm, uh... I have sent this to my wife. -Mm-hmm. -I am very fortunate in that I, generally speaking, on a flight, will close my eyes and wake up eight or nine hours later. -That's amazing. -Especially on the way back. Especially on the way back, because it'll be, you know, three days of go, go, go. We've got the- the mostly technical party on Monday night.

-Yep, Monday night. -We've got after dark on- on Tuesday night, then there's like... I assume we'll do something on- -Wednesday night, yeah. Did you- -... on Wednesday night as well, and then -we're gonna be up- -There's a link, I'll send it to you. -There's a Luma something. -Yeah, yeah, yeah. I- -You get that one? -Yes, that was for Tuesday night, I think, -that one. Yeah, I got that one s- -I think that was- -So, did that, um... -I thought that- I thought that was for Wednesday. Let me look.

-Luma after party. -Can you double check? Yep, I'm looking right now. Tuesday. You're right, it is Tuesday. Yep. -Mm-hmm. -My bad. Yeah. Yeah, so, um, that, and then Wednesday night, I assume we'll do something. Go -grab dinner or something- -Yeah, yeah ... with the- with the guys. Anyone who's- who's keen for that. -For sure. -Um, and then Wednesday we'll be up early, and then we're just gonna have to try and power through LA. Um, Aaron and I are

gonna go and do the unthinkable. And I don't know if we're actually gonna do this, but I- I joked to Aaron, I said, "So, outside of LAX, there's a Five Guys, -an In-N-Out, and a Chick-fil-A." -Gotta do it. And I'm like, "We'll just eat all of them. We'll just do all three." You gotta do it. And then, uh, yeah. So by the time I get on that plane, and- and this has happened every time I've left the US for- for any trip that I've been over there, I'm asleep before wheels up. Like,

before we leave the ground- ... my eyes are shut. I'm out. Yeah. -Oh, my gosh. -And they come- they come at like an hour or- or- or two later, and they're like, "Do you want dinner?" I'm like, "It's midnight. I don't- I don't want dinner. Go away." -That's funny. -"Why did you wake me up for this?" So... -That's hilarious. -This light- this light keeps on flicking off and on for some reason, I don't know why. So every now and then I get shrouded in darkness. -Well- -So yeah, Laracon, uh, this-

Anyway, long story short. Yeah, absolutely ... this will be our last- last North Meet South before Laracon. Uh, we've got... We'll do an episode of Laravel News next week. Mm-hmm. And then we'll be on location. Is it that quick? No. Oh, no. We will have one more North Meet South before Laracon. Okay. Okay. And then we'll be on location. Yep, yep, yep, yep, yep. So yeah. A- and then for Laravel News, you and I will be, uh, running around. You did a day one recap last year with-

-Yes -... David Hemphill. -Yes. -Which made- made me feel very slighted, -uh, that you would- -I'm so sorry. ... you would do something like- like that . I think I mentioned you. I thought I mentioned you. -You did- you did mention me. -Okay. But, uh, you know, I will- I will- I'll be there this time, so you watch yourself. And so it will definitely be you and me. Yeah, Hemphill. Watch it, you're gonna -get- you're gonna get a- -So yeah, we'll do-

-... shiv. -We'll do a recap day one and we'll do day two, 'cause there was no day two last year. -Right. -Um, and I think we're gonna go around and -do some like vox pops- -Absolutely ... and speak to people and- and talk to them as well for Laravel News, so that'll be a bit of fun. Something- something to do. -Should be a good time. -So if- if you are interested in doing that, keep an eye out for us. We'll- we'd love to talk to you about what you think. I saw Taylor's got like a two-hour

-keynote at the end of day one. -Wow. So that'll be- that'll be a bit of fun. And looks like there's a lot of variety in the talks as well. If you've- if you've seen the schedule, there's some- there's some, um, you know, 30-minute talks, 20-minute talks. They're all over the place this year, which- which is good. I think- I think mixing things up like that is- is good for the audience as well. Um, getting a- a mix of lengths and types and-

and all sorts. So -very excited to get back over there- -Yeah ... after, what, six years or whatever it's been. Yep. It's gonna be incredible to have you, dude. It's been too long. Too long since we've been able to hang out in- in, uh, the real, right? In 3D. -Mm-hmm. -So it'll be fun. It'll be lots of fun. Hey folks, we have a couple different topics that I would like to talk about today. The first one is this. Should you have

a middleware call inside the constructor of a controller? Okay, so set it up for you. This is something that used to be supported and I do not think it's supported anymore in Laravel 12, which is this. Inside of a controller you can, in the constructor, say, "This middleware," and then specify a middleware. And what this will do is this will apply that middleware to anything that you're going to be accessing that controller

through, right? Any route that references anything that points to that controller, you can have a middleware in the constructor of that controller. Okay. Are you ready? Think about it for a second. Make up your mind. Do you think you should put it there or not? And go. All right, what do you think, Michael?

No. And you, you, you posted this the other day- -I did -... in Telegram, and I- I'm gonna grab a water while you formulate your response and, and tell me why I shouldn't do it, so then I can actually come back and tell you why I think you should. But go ahead. Yeah. I mean, Laravel 12, you said you can't do it, so that's, that's as good a reason as any to not do it. Um, I know

there used to be some explicit reason to do it. Like, you... There was some part of the request lifecycle that wasn't available inside of your route definitions, which is why you, you maybe wouldn't have done it previously. Like, you wanted to dynamically apply a middleware or something like that inside of the controller constructor. The, the reason I don't like the idea of putting the middleware in the controller is kind of similar to why I don't like using, um,

events too much. I don't particularly like using observers and, and global scopes, although those things are a little bit more -opaque now- -Yeah, for sure they are ... because we've got the attributes to say, like, observed by, scoped by, and all of that kind of stuff. But I feel like the routes file is the first place that I'm going to look in a new application to see everything that's happening across the application. Like, I know what

functionality is available, I know where to reach it. It's a very quick and easy way. W- this is the same reason I don't like route definitions inside of controllers using attributes, which is a thing that has- -Fair enough -... like, come and gone in the past.

Because if you want to s- I mean, you can always do a route list and see the route list that way, but I think opening up the routes file and just scrolling through it and seeing everything that's there is my preferred method for, for dealing with that kind of stuff. When you start putting things in- inside a constructor, it's, it becomes less visible. Um, it... Like, does it still appear in the route list if you d- define a -middleware there? -That's a good question. I honestly don't

-know. -'Cause that would be my hesitation. -I'm not sure. -Yeah. 'Cause that would be, that would be -another hesitation of mine- -I kinda feel like it wouldn't -... is that you don't know. -I kinda feel like it would not. Yeah. Yeah. Um, so yeah, my, eh, I never, I never do. Um, all of my middlewares are defined inside of -the routes file. Yeah. -Fair enough. Now that being said, uh, I mean there are multiple other places where there are middlewares being placed onto

things without your knowledge or just explicitly by the framework. So, you know, one of those places is in the bootstrap, uh, app.php file, where you're- -Mm-hmm -... setting up all your routes and all those things. And if you use a then, uh, portion of the section there when you're defining those different routes, then you can apply middlewares there and things like that. You know, you can set up a new stack essentially. You have web, you have

API, you have console, which are all getting set up. You have up, which is also another one that ships by default with Laravel 11. But if you have a then, you know, you might do something like development routes. Like, if you're in development, you will, then you'd bind these development routes, and you could put, uh, prefixes or middlewares on it in there.

Uh, there was previously in, you know, previous versions where you had a, a route service provider or something like that, or the HTTP kernel, you could do things in -there as well when you'd register those- -Mm-hmm ... or when you'd bind those sorts of things. And so, it's not like it's only ever been that the routes file is the only place where middlewares are applied. I -mean, there's a web- -Right. There's a web stack that's applied by default.

-Yeah, yeah. -So I get the argument that, like, if you can just go see the web.php, you can see everything on there, but it's not actually true. Like, there's... That's all the -things- -Mm-hmm ... that you would put on there, but it's definitely not all- -Yeah -... the things that are on there. -Yeah. -So, um, I would say that, like, as far as the user definitions are defined, I agree that the web.php is where you would go see

all the user-defined things most of the time. Um, you do have to be a little bit careful if you're migrating from legacy applications, and that's the situation here. That's why we ran into this, is we've... You know, we've been on this since Laravel 4, and so this very particular application has been upgraded to 4, 5, 6, 7, 8, 9, 10, 11, 12. And so, 12- -Yeah -... is when it sort of- -Yeah -... dropped support for it and caused some

issues for us. The one thing I will say that is helpful, and maybe the reason why, um, what you were talking about, is like if you wanted to resolve something out of the constructor in order to be able to apply that to a middleware or s- pass that in as something to the middleware, it's possible that at one point that was not available. But obviously now you can make your own middleware classes and things

like that, so it's not a problem. Um, but if there is a middleware that you want to apply to every single method inside of that controller, it is possible for someone to miss that when they're defining a new route for that controller, right? Maybe they don't look and see the other places. Maybe that control... Maybe the, the locations where, uh, those are defined are not co-located. Maybe they're just adding a new one to the bottom of the list and they don't go

find it. That controller middleware, uh, is not gonna be applied now. And so, that could be problematic. Now, that's... Maybe there's ways around that. Maybe you can put an architecture test in place. But that was the particular argument that I had, which was like, it's not necessarily all bad to be able to define it in the controller. I can see the arguments for why you maybe wouldn't, -but I don't think it's- -Mm-hmm ... I don't think it's that bad. I don't know. I don't know. Yeah.

I'm just trying to look back on when, when it was actually... 'Cause there's nothing in the Laravel 12 upgrade guide that I can see that's obvious that says this has been removed. So... -All I know is it was throwing an error. -Controller middleware. -Yeah. -Oh no, it's still here. -It was throwing an error. -Controller middleware. -Go ahead. Yeah, maybe just- -Ouch

-... maybe the way that we defined it. -Oh, you put it... Yeah. So used to be in a, um, cons- in the construct method, and now you can define it as a stat- a public static method that returns an array inside the controller. I got it. -So it's still able to be used- -And you, and you implement the has -middleware -... just not in the same way. Oh, I see. I -see. -Mm-hmm. Yep. Just not in the same way. Okay. Fair enough.

Fair enough. Middleware may be assigned to the controller's routes in your routes file. You may find it convenient to specify middleware within your controller class. To do so, your controller should implement the HasMiddleware interface,

which dictates that the controller should have a static middleware method. From this method, you may return an array of middleware that should be applied to the controller's actions, and you may also define ControllerMiddleware as closures- -Hmm, interesting -... which provides a convenient way to define an inline middleware without writing an entire middleware class. But it doesn't, doesn't really say why or when you would do this- -Sharp knives -... which I guess is... You know, sharp

knives, right? Laravel provides many ways to do the same thing. I would, I would posit that doing it inside of the controller is potentially a less, um, what's the word? Like, a less conventional way of doing it. -I agree. I do agree with that. -But, you know, it's documented. Um, yeah. I don- I mean, yeah, i- for... I wouldn't do it in the controller for the same reason that I wouldn't, that I don't subscribe to, to doing route definitions inside of the controller. -And that's fair. -Um...

I, I do get that. Yeah, and, and so it sounds like it's not necessarily... Th- the method by which we were using it is deprecated, but the, the idea itself- -Mm-hmm -... is still very much documented and relevant inside of Laravel. So, fair enough. I, I think that's, uh... You know, it's again, sharp knives, use them if you want to, uh, if you don't... If you cut -yourself- -Yeah ... don't complain, right? Just deal with it. So... Yeah. It's certainly like a top level documentation item.

-Yeah. -Right? It's in, on this page, introduction, writing controllers, controller middleware. So it's not hidden. It's not one of those things that, like, gets pushed down the documentation until one day it disappears and then you know that it's... It, it likely won't ever be removed.

Eh, in, you know, the way that Laravel typically handles deprecations, is just that at some point it's determined to be not the best practice or, you know, there's another way of doing it that's, that's more appropriate or more, uh, efficient or whatever else. And so the documented approach becomes the way to do things, and stuff that drops out might get deprecated eventually, you know, in two or three major releases time. But,

um, it typically survives even though it's not documented. So it's still, still there as a top level thing. But yeah, I don't, I don't see where this... I, I'd have to dig to find out, you know, why you would do it in a constructor. Like, what, what was the documented reason -for doing it- -Yeah -... essentially? -Yeah. I, I don't even know if I could tell

you in this case. I, I think it... This one is honestly just... It was like a authorization check to see if somebody had a particular role or something like that, -that's all it was. -Mm-hmm. Mm-hmm. Like, "Can they do this particular thing?" If they can't do this particular thing, then there's no reason for them to see the view, the update, the create, the delete. Th- they shouldn't be able to do any of that stuff, like, don't bother even- -Right -... doing a policy on it. There was...

This was before policies were a thing. You just said, "At the controller level, don't bother, just abort. Before they ever do anything with it, just abort." Which brings me to my next question. Um, unless you have anything else you wanna talk about, which I... So, I've got -one more thing and that's- -No, no, go for it. -Okay. Okay. -Are you... You meant, you, you, you floated this, like you got in early with this one, so you've... It's obviously on -your mind- -It is

-... so let's talk about- -Yes. Okay. So we talked about this with the other devs on the team earlier today. Okay. So I'm gonna try and set up the world for you a little bit and then we can chat. And I think you can help me point out maybe some p- some potential flaws, or maybe not flaws but pitfalls that I might be looking into or that I might need to investigate and/or better ways to structure this. Okay, so here it is.

-Mm-hmm. -Let's say I have 20 apps, which I do, and let's say that each of those applications has, currently has their own roles. And the way that we're checking permissions or abilities inside of any of these locations and inside of any of these applications is only through checking of

if a user has a role. Okay? So that is, that is the way that we've done it. Now, the problem with that is that the onl- if you only define roles, the only way to give somebody permission to do something is to assign them a role. Does this make sense? -So- -Mm-hmm. Yep ... if you have a person, let's say that there's a manager who's stepping out for a week and they have a person on their team who's like their number two, right,

assistant to the regional manager if you will. And they need this , they need this user to sort of take their place, interim, uh, manager, uh, for a week. The only way, i- but they really only need them to do one part of their job, which is that they need to run this report every day and send it to the CEO. Let's say that's the -deal. -Yeah. Right? That's it. That's all they need to do.

But because the only way to give them that permission is to assign them that role, in addition to getting the ability to run the report, they also get the ability to put in coaching entries or reprimand other peop- or s- read entries for other teams', um, employees or team members that are on that team, right? Not what you're -asking for, not what you're looking for. -No.

Certainly, like, not a least privileged situation. And so what we're running into is that we have people who have permissions that they should never have just because they were given them temporarily and then they were never removed. Right? So the only way that we can catch this is if we do these audits, which we end up doing, but it's a big pain in the neck. And there are ways, there

are better ways to do this. So, I'm gonna ex- I'll explain to you sort of our proposition and then I'll continue to kinda go through how we wanna manage it. The proposition is in any place where we have a HasRoleCheck, we're gonna remove that HasRoleCheck and we're going to name the thing that they're trying to do at that check. So, instead of

HasRole, we're going to s- HasRoleManager, we're gonna say CanRunReports. In that spot, that one spot where they check to see if they ha- if they're a manager. Instead we're going to say name that thing that they're trying to do, they're trying to run a report, and then we're going to ask the question User CanRunReports. Right? Okay. So we're going to change it from a role to a permission or ability. Permission and ability are the same word, essentially. Which do you prefer?

Mm-hmm. I I think the, the general advice, like the 90%, 95% use case, is to assign -roles and check permissions. -Okay. Permissions. It's certainly the way that, that we operate, is that we will always check that -the user can do something. -Yeah. Okay. We would never... Well, I say never. In our modern stuff , in our new stuff, it's always a permission check. Okay. Uh, or a policy check or whatever else. Previously, in our old code, it w- it was

-base... Like, we would assign roles. -Yeah. Yeah. We had a permissions table, but p- but permissions were never implemented, so it was always like, "Is... Does this user have a role?" -Yeah. -We would always check are they an admin, -are they a manager. -Yep. Are they a group manager. We had, um... And, and like you say, that then means that that person has access to everything that that role enables them, um, whereas you want, typically, I think, your permissions to be as granular as possible.

Yes. The... Yes, correct. I agree with all of that. Um, my question specifically is, when we're talking about that, you're using the word permissions to talk about a granular level thing that they can do. Another word that I've heard used for that -is ability. So, my question is- -Mm-hmm ... for the remainder of our discussion, would you prefer me call them permissions or abilities? It depends on what you... If you're just using Lyro stuff, I'd call them

-permissions. -Okay. So, yeah, permissions. And that's -what my guys sort of said too. They said- -And you- ... "Oh, we like to call them permissions instead of abilities." 'Cause I've called -them abilities- -Yeah ... in the past, and I th- we can call them- -Yeah -... permissions. That's fine. -It's a bit... Like, I think bouncer? -Yes. 'Cause I know you've used bouncer in the past. Well that, well that's because of abilities. Bouncer refers to the roles and abilities.

-Yeah. Yeah. -Yeah, right. Um, I think... How would you -think about this? -And then there are no permissions, we're first giving out permissions. Yeah. Like, you have permission to do something, but you have the ability to -enact that, that something, right? -Yeah. Yeah. So, I think it depends on which way you're looking at... You know, is the user the one that... You know, does the user have the ability to do this thing? -It- -I know. They're, they're synonymous.

-The user has the ability- -They're synonymous. Yeah. Or does the user have the permission? Yeah. Yeah. And so, I'm just trying to establish, like, uh, the domain language for our team, like, whether we're gonna be using the word ability, permission. I've -used the word ability- -Yeah ... but I think we're switching over to using the word permission.

Sounds like if the rest of your... Yeah, I was gonna say, it sounds like if the rest -of your team- -Yeah -... is using permission- -Yeah, that's the word that they would like -to use -... then, then you're using permission. -Agreed. -Um, and like I said, I, I think the, the fact that ability is in your head is probably owing to the fact that you used- -100% -... that you've used bouncer in the past -as well. -Yes, it is. But, like, the Sparcy, Sparcy has a permissions package.

-Yeah. -I think generally when people speak about -it, it's permission rather than... Yeah. -Yeah. Okay. So, we've got permissions, right? In every spot where we're doing the HasRole, we're going to check, uh... Instead of HasRole, we're gonna say HasPermission essentially. Think about it that way, right? So, we're gonna make everything very granular, and

so our application will check for permissions. Now, the second part of this is imagine that across those 20 apps, you know, every app has its own set of permissions that, that are a part of that, right? -Now- -Mm-hmm ... who manages those permissions is the question. Who gets to manage those? Well, I will tell you, my preference is that I never ever manage those. I want my team to write the code that enables people who have that permission to do that thing.

-That's what I want my team to do. -Mm-hmm. But I do not want my team to manage permissions. I want the IT staff to do that. -Um- -Right ... and for them, even only in a limited capacity. So, um, what I would like to have happen then is if you can think of a different application... So you have these 20 applications that live on the bottom level there, and all those le- all those are doing is they're checking for abilities. So, there is essentially no,

no concept of roles anymore in those. We're gonna rip those out of that application. No roles anymore. It's just permission checks. We're gonna go up a layer, and now you're gonna have an application, uh, one layer above that knows about all the different applications and then knows about all the different roles in those applications, and then groups together different permissions for those particular roles.

-Mm-hmm. -Does that make sense? Now, that application that sits above that is active directory, essentially, is the idea, -right? -It's exactly what that is. Yeah. I mean, that's what it is. And so, and so what we're thinking is, like, why reinvent the wheel on that? E- essentially what we do is we have a user, and that user will have a job function, which is essentially their job title,

right? So if I have a banking manager, um, that banking manager is going to have specific permissions inside of each of those 20 different applications, right? Inside of some of those applications, they may have a role of manager. So, like in the case of, like, coaching, right? -Mm-hmm. -Because they're a manager, they're going to have likely a coaching manager role inside that application, but the

application doesn't know anything about that. All it knows about at the end of the day is which permissions that user was granted when they come in. The way that this will be structured then in Active Directory is you will have a coaching_, so it's actually namespaced in Active Directory. App_coaching, which is the name of the app, _role or ability. So, app_coaching_manager. That's the role, right?

-Mm-hmm. Mm-hmm. -And then nested underneath that would be additional security groups that would apply to that particular role, right? So app_coaching can add new coaching log. App_coaching- -Yep -... can run coaching reports. And those abilities may only live under app coaching manager, but they also may run under... May live under app coaching admin.Right? So those abilities have basically a one-to-many relationship between- -Mm-hmm -... those, uh, those different security

groups. Okay? And then each user would get assigned to one of those security roles. Okay. The reason why that's all important is because when a user is created in the system, they will get a single set of roles. That's it, that's what they get. They get the ones that belong to their particular job function and nothing else.

-So if- -Mm-hmm ... that user that was previously mentioned needs to take over for their manager for a week to run that report, instead of giving them app_coaching_runreport, or sorry, a- app_coaching_manager, they would get the ability of app_coaching_cannrunreport. They would get that single ability rather than the manager role. Now here's the really interesting thing.

We are going to say that anybody who needs an additional permission outside of the ones that apply to their specific role, they only get a lease on that permission. -Yeah. -Does that make sense? So it's- -Yep -... expiring, meaning that they can ask for it for a period of time, and then after that, it goes away. It gets removed- Yeah -... from their user- -Yeah ... so that we don't end up with this mess of what we're talking about, where a user

gets a permission and it just is signed forever. So you have somebody who started in one team and they've moved three times, and now they have inherited permissions for every single team they've ever been on. -Yeah. Mm-hmm. -Which is a freaking disaster mess. -Um- -Yeah ... and it's really unclear what they actually still need and what they don't -because they were never removed. -Mm-hmm. -Yeah. -And so that's the big picture of what we're trying to- -So- -... accomplish. Yeah.

Mm-hmm. So are these, the expiring permissions, are they being managed inside of Active Directory, or are you doing that, like some scheduled task that goes through and, and cleans up these permissions where expiry date is in the -past? -Yeah, you got it. And so it's actually a little bit silly. We're using AD LDAP, so Active Directory- -Mm-hmm -... L- LDAP. What is, uh, listing

directory? I don't know. It's, like, that protocol basically that lets you- -Yeah, yeah, yeah -... talk to those things. -Yeah. -And what we do is when somebody wants an additional permission, we can say, "Okay, they want..." You know, select the application you're trying to get permissions for. Coaching. "All right, here are all the ab- roles and the abilities that are available for you to lease." "Okay, I want to be able to run the report." "Okay. When does it, when

does it expire?" "It expires in, in a week." And then they say, "Okay, request." Their manager has to look at it, approve it, and once their manager approves it, it will then send that off to our auth application, and then that thing actually adds that, uh, group... -Uh, sorry, adds that user- -Mm-hmm -... sorry, to that group. -Yeah. And then it will, you know, check the end date every day at 7:00 AM, and when the end day

hits, it will remove that user from that group. And then when they log in the next time, it will look at the AD groups that they are a part of and it will remove the ability that they previously had, uh, when they logged in- -Right -... last time.

-Mm-hmm. -So that's the idea. Now the, the big challenges that I'm running into here is that this top level app, uh, that's going to help manage all these things has to be aware of all the different mappings that I have for these abilities inside of all these different -applications, which is- -Yeah ... that is the pain, but I don't really know of a better way to do it if I don't -want- -Yeah ... my team to manage it.

Yeah. And it also means that anytime you add a permission somewhere, you've gotta do it in two places. -Yes, correct. -You've gotta do it in the app, and you've -gotta do it in the- -Active Directory -... the overseer- -Yeah -... as well. -Yeah. Yeah. But yeah, I mean, and, and expiring permission is a good way to, to deal with it, I think, especially from a compliance perspective. -Yeah, exactly. -You know, no one should have access to things that they shouldn't have access to, so having that-

-And we can see when they requested it -... That's amazing. And it's like... Yeah. Yeah, if you're keeping audit trail of it, that's, that's gonna be helpful for that kind of stuff as well, 'cause you know that no one's got access to anything that they shouldn't. And if they do, you know, they shouldn't typically have access to it. You know when they requested it, when it was approved, by who, and when it

was removed. And, um, yeah, I mean, it's no different to how when you create GitHub tokens and things like that, you can request for it to be, you know, seven days or 30 days or 90 days or, or, or unlimited. And as much as it annoys me every 30 days to have to, to -roll a token- -I know, right ... I think probably having a, a 30 day token is, is still the, the correct answer for most things. -Yeah, there's, um, the- -Spreaker. Spreaker on the pitch. Yeah. Oh, he's ...

He- he's got his, uh, he's got his pajamas on. Harrison, you wanna say hi real quick? Come here. Come here. Yeah, that's fine. -The baby of the bunch. -Har- come say hi here. Hold on. Hold on. Let me put your head phone. -Look at him. -Say, say hey, Michael. Hi, Michael. So big. Hey, man. How you doing? He's s- -He's doing good. -I remember the, the last time I saw him was teeny tiny in a pram in New York. -That's how long ago that was. -Oh, that's right. Dude, that was Laracon.

-No, look at him. -Harrison, you were in Laracon. -Yeah. -You were at Laracon with us at eight weeks old, remember? You don't remember. -I don't remember. -No, he don't remember. All right, say, say, "Hello world." Say it l- nice and loud to everybody. Hello world. -There he is. -I love the eye roll. Sorry. Sorry. Bye, Harry. Um, so, uh, yeah, what was the last thing I was gonna s- oh, here's the other piece of this which is really interesting, I think.

Um, if, so when a permission is about to expire, we can send an email out and say, "Hey, you have this permission which is about to expire. If you need to extend your lease -on it- -Mm-hmm ... you can request, uh, an extension here." And they could click it. It could -fire- -Yeah ... off that extension request, and then their manager could approve it again, and

then it could happen. Right. So I think it re- and so what that allows essentially, is that allows me to not only actually remove the burden from my software development team, it actually also removes the ability of my IT guys to get involved. They'll have to add new permissions- -Mm-hmm -... but they should never really have to get involved in the modifying of permissions outside of- -Yeah -... if we need to add a default permission

to a particular job function or job role. Right? Um...So it'll be a little bit of like a hand in glove situation where we do need to work closely with them on some of those things. But as it is right now, it's sort of a pain the neck because they'll have to message one of the software devs and be like, "Hey, somebody said they need to run that report. What role do they need?" That's, that's... 'Cause there's, it's not transparent to them at all- -Yeah -... what, what roles are needed for what

particular abilities. And so it's just we're trading problems, and I think it's a better solution. Yeah. -So. -So two, two things that I just thought of. Number one, um, how easy are you making it? So if I have to go and request permission to do some report, is it fairly obvious that I'm like, "This is the permission that I want"? -Right. Like- -Are you naming them in such a way? 'Cause- Yeah ... most, most permission stuff would be transparent to... I mean, maybe managers

know what the permissions are. You know, there would be some level of knowledge there depending on their technical skill. But for most, most workers, I would imagine that they don't know what they're asking for. That's agreed. That- that's true. And I think right now, it's completely obli- n- -nobody knows. There's no good catalog- -Yeah ... of abilities, right? And so what we would have to do as part of this is we'd

have to... You know, we'd give it a good name, and we've got a convention that we're using to convert the abilities, um, to good named AD security objects. And then we need to give good definitions to them as well. A- and so that'll be part of- -Yeah -... the process of converting these over,

is just making sure that we give good descriptions of what they are. And then we'll probably have to do something like a package, honestly, something that's going to help to coordinate the different abilities between the different applications. Or we'll have to create an endpoint that lives on these applications where they can be hit and queried, and then they can return back those, those pieces of data. 'Cause I really don't wanna have to update...

I- I don't wanna have to update a package every time I wanna add a new ability. I -don't wanna have to do that. And so- -Right ... I think if we just created an endpoint that was like, "Hey, give me all the different ability. Give me, give me your permissions catalog," and it could, it could say what those are, then we can just essentially advertise that and, you know, use an API token, go grab the abilities, uh, the abilities catalog, and then, um,

push those into a config item or something like that. You know what I mean? I'm not -using the- -Yeah -... right wording here, but that- -Yeah ... that would be the idea. So yeah, that, I think- -Yeah -... that would be how you'd do it. You would try and make it as obvious as we could. So that was, that was number one. Yeah.

-And you had number two. -Um, I think the, the other thing, the other thing was, you know, if, if you needed to request an extension... I mean, you, you said at the top that people would be asking for permission to do something because their manager is -going to be away. So if they need- -Ah ... to extend that, who's, who's approving that? -Yeah, no. -Because the manager's obviously, you know, -away for a bit longer, so there's- -That's a good-

-... that's something to consider as well. -That's a good question. Um- Like, someone would have to approve it, -um- -Yeah ... and they would probably... Like, I would, I would say that that is more the exception than the norm, where maybe, you know, your team or IT would have to step -in and go- -Yes ... "Well, they had it." Yeah, typically, that, that has happened before. -But then you'd have- -Yeah, where, where we would have somebody -who's away- -And I think you would probably have some

-rules around that as well. -Yeah. Like, you can only request one extension, or the extension can only be for two days -or something like that. -Yeah. And we did a, we did a similar kind of thing with, um, like invoices. When you've got an overdue invoice, you can request an extension. And so the, the frontline staff would have permission to request an

extension, and there'd be, there was a series of rules. Like, you could, you could ask for s- uh, 14 days or seven days, but you could only ask for each once. So initially, you'd get like a 14-day buffer. And then if you had already asked for 14 days, you could only ask for a seven-day extension from there. And then there was like... that was it. And that was, like, enforcing business rules ar- around those kinds of things. Because there's also this expectation of,

um... This was in telecommunications, so there's, there's a whole code of practice around, um, not l- allowing customers to get, you know, dig themselves into debt- -Yeah, yeah -... over these kinds of things that, you know, you would have to, you'd have to cut them off. You wouldn't be able to keep extending them so that you didn't keep charging them for a service that they -clearly can't pay for or- -Yeah

... or had no interest in paying for. So, um, yeah, maybe something like that where, you know, you get one, one, um, bump. You know, it gives you an extra three days or something. And then beyond that, you have to ask for a whole new thing. -Yeah. -Um, that, you know... Yeah, w- what that looks like for, for your organization and, and how you implement that or what the, what the business rules around that is, you know, up to, up to you guys. But it might be one approach that, that could be

-suitable. -It's a good idea to have a maximum number of, um, extensions that you could do though. I think that's a great idea. It's -not something- -Right ... I'd thought of before. 'Cause yeah, otherwise you could just have somebody continue to request extensions and just kind of go that way. And- -Mm-hmm -... that does defeat the purpose a little bit, especially if we have, like, long-term leases.

You could ask for a new... Yeah, but you could, you could ask for a new- -Correct -... extension. -Yes. Absolutely. Yeah, you- -But it would, like, you couldn't just, you couldn't have like a seven-day extension for the time that manager's away, and then you would just ask for like... I would just top that up for another three days, -another three days- -Yeah ... another three days. Like, you would wanna set a cap on that.

-Yeah. -But if they, there was genuinely a need for it, you know, if the manager had delegated the responsibility of running that report to someone else, then, you know, that would just have to request that -permission, you know- -Absolutely -... and say, "Okay, yes-" -And we have, I think the solution- "... let's do it again. Here's another seven days or here's 30 days now." Yeah, the solution in that instance would be like these long-term leases that we -would have, that would be like- -Mm-hmm

... you could request up to like a six-month lease or something like that. If -you're- -Yeah ... if, you know, in some instances, maybe it'd go through an additional approval process or something where it's like, "Why are you asking for a six-month approval?" Mm-hmm. Uh, you have to have the approval of two... Or sorry, a six-month lease, you

have to have the approval of two people in order to get that or something. Um, and if it was gonna be made a more permanent part of a role or delegated to somebody else, then we might need to make an additional layer, an initial role, like a training, uh, assistant. You know what I mean? Something like that role. And then they just get that ability as well. Um, but again, the nice thing about this is that if we needed to make that role, we would not have to be involved with that at

all. That decision can be made higher up the chain- -Mm-hmm -... and we just check for the ability. -Yeah. -So it's really nice. -Yeah. -It allows the IT teams- -Yeah. The roles can be created whenever. -You got it. Yeah, roles can be created whenever, as long as they're composed of existing -permissions. -You got it exactly right. And so I think

that really frees them up to do a lot of work. Now-... um, the, the trick is naming the abilities well, and then the second trick is making sure that they kinda stay in sync across this, uh, orchestrating, uh, entity that, th- that sits above it. And so... That's it. That's it, but I, I think, I think that works. Um, and I think we actually might be able to get away without using permissions or

bouncer, Laravel permissions or bouncer, actually. Because we already have... -Mm-hmm -... a process by which when a user logs in, we look at all the security groups they're a part of, and we can inspect that and assign permissions, uh, it's basically just an array. It's just an array of permissions- -Yeah -... which would be an enum cast of, you know, w- of AD groups, AD security groups mapped to named permissions. And we'll just cast them to an enum on that user and that's it.

-Yeah. -There's no, there's no need for, like, -this one- -Yeah, I think- ... to many whatever, because we're not gonna do roles inside of the application. Right. Yeah. I think if, if the permissions for your application are coming from something like Active Directory, then there's, there's no need to -layer the package on top. -Agreed.

As long as you've got some way of translating those things into... You know, I mean, you could d- dynamically register policies or whatever else, or, or gates -and things like that- -Mm-hmm ... based on this. And then, whether you cache that, you know, for 24 hours, do you cache that just for the request, like do you use- -It's... Yeah, just for the session -... it once or whatever? -Yeah, it's just... Yep. -Yeah.

Yeah, and when they log in again, it does the check again. So it, it goes and talks to AD and says give me the list of, uh, security groups they have. -So you're not- -Yeah. So how are you, how are you dealing with, like, changing in permissions if, if -someone like- -Doesn't log in? -... has a permission unassigned- -Yeah, right -... while, like, during a session? -This is a good question. And, and this is- Are you-

I don't have a good solution to this. This is a good, this is a good question to ask. So, wh- what I will say is like right now, and the way that they've had to do it, like if they've had to add a permission is they'll add the permission and then they'll ask the user to sign out and sign back in, right? They sign out, they sign back in, when they sign back in- -Yeah. Yeah, adding, adding is fine. -Yep.

Because someone, because someone wants that, I want extra things- -Yes -... yeah, I'll do, do the work to sign out -and sign back in. -Exactly. Now, the question is- -But if you are having some permission- -... do we revoke that? -... revoked. -Yeah. Yeah. -Yeah. -Now, the way that we've got it set up -right now- -Or, or if, or if it's a lease that it -expires- -Yeah ... like it's gonna have to log you out somehow. Yeah, so the way that we do it right now is, yeah, the thought is that we expire

the lease at like 6:00 AM. So at 6:00 AM on that day we say it should expire this day, we revoke it. And if they haven't logged in that day, which it's very unlikely that they have, then when they log in that day- -Mm-hmm -... the permission will be revoked. Now, in some weird case where we needed to revoke a permission for somebody in the middle of the day, which I, I don't really see that happening. We don't typically get requests to take permissions away. We get plenty of requests to add

permissions, but almost never. The only case I can think of where we say like we would revoke permissions would be when somebody's getting terminated. -You know, that happens. -Mm-hmm. -But typically the way that that works is- -Yeah ... a manager will set a time to say, "Hey, at 1:00 we're gonna have the

conversation with this person, we need to terminate this user at 1:00." And so they'll pull them in, the IT team schedules the termination for 1:00, they then revoke that user's access and then by the time they get back to their machine, it's locked and they can't get logged back in and it's fine. So- Yeah. I don't... It's, it's a, it's an interesting question to posit but I'm not sure that it's a critical component of what I'm hoping to accomplish. I, I don't- -Yeah. -I don't know.

Yeah. And, and I assume in an organization like yours you'd have a risk register somewhere, and these are the kind of questions that I sit there and I come up with and I send it to the risk team, and they put it in the risk register and we say, "Okay, we know about this but we don't care about it." -Yeah, exactly. -And as long as it's in the risk register- -Yes -... you know, it has been raised, it is, you know, we've decided that it's not something that we're terribly concerned

-with, fine, but it's been noted. -Exactly. We mark it as an acceptable risk. And it's better to have something on the -risk register- -Yes. Yeah, right, yeah, yeah. And it's better, for those of you listening who are in, in smaller organizations or you're, you know, on your own or whatever,

it's probably fine, you don't have to worry about it. But in, in big organizations especially those that are, you know, ISO 27001 or their SOC 1, SOC 2, whatever else, these are the kinds of things that it's, it is okay to have these kinds of things sat on a risk register and you just say, "That's a low risk, medium risk, it's acceptable," you know, we don't care about it but we, b- but you still need to think about these kinds of things.

-Absolutely. -And then what you do with it is you just, you decide, is it something that I need to, to put into code to protect against? Or, is it okay to just, just to acknowledge that yes, that is something that we are aware of, but we're not worried about it being an actual concern?

Yeah. I- so the two words that we typically use in those instances is that we would say number one, it's a known, it's a known risk but it's a, it's A, it is an acceptable risk, and B, here is a compensating control. Auditors love that phrase, a compensating control which just means we're aware of this issue but we're solving it in a different way. So we would say the

compensating control is referenced user termination policy line 15, right? Where it says, uh, you know, all user terminations will happen within 15 minutes of a termination request or at the scheduled time requested by the manager. And then you, you know, you basically reference, hey, here's the pla- place where we say this is how we do it and this is why it's not a concern. That the

application handles it because our process handles it this way. Um, and so anyway, those, those are good points to bring up, especially when you're trying to do those things, SOC 1, SOC 2. If an auditor brings that up and you don't have a solution for it like in code, i- if you have a solution for it in policy, um, then that's usually good enough, so... Yeah. Yeah. -Well folks, that's all I've got. -Cool. Michael, you got any... Uh, thanks for your help on that. I, I appreciate you

thinking through that with me. Um, I think we're gonna move forward with that and I'll let you know kinda how things go, uh, on that front. But, I think it'll be good. I think it's definitely gonna be an improvement over what we've been doing. -Yeah. Yeah, I think so. -Yeah. Yeah. So... For sure. All right my friend, Episode 179 of the North Meets South web podcast is in the books. If you'd like to find show notes for this episode find them at

northmeetsouth.audio/179. If you'd like to talk to us on Twitter, on X, on all the things, hit us up @michaeldurant, @jacobbennett or @northsouthaudio. And if you liked the podcast we'd really appreciate it if you'd rate it up in your podcatcher of choice, five stars would be absolutely incredible. Folks, we hope to see you at Laracon, please say hello. We would love to talk to you in person. We don't get to see any of you. Typically, for us this feels like speaking into the

void. It feels like nobody's listening to this ever until we get there and we hear from all of you wonderful people. It's an encouragement every year to keep going- -Oh -... and keep doing it, because... I, I, I enjoy it. I think it's, it's good to know that people do listen but it's -also a very bizarre experience. -Mm-hmm. Because people know so much about you and you're like, "Hello person." Oh, that's so funny. -Yeah. -Don't let that deterr- d- don't, don't let

that deter you from doing it though, I love, love to meet the people. Um, and it's been, you know, like I said, six years since I got to meet the people. -Absolutely. -So. Except for those of you who are kind and caring enough to come all the way down to Laracon AU. One of these years I'm gonna get there folks. All right everybody. Till next time, we'll see you.

Transcript source: Provided by creator in RSS feed: download file
For the best experience, listen in Metacast app for iOS or Android