ToolStation - Internal Docs
App

Policies

Overview

Policies are used to organize authorization logic around specific models or resources. They are a way to centralize and manage permissions for various actions users can perform on these models.

Creating a Policy

CMD: php artisan make:policy UserPolicy

Policies exists in Ecom-API

1. AccountAuthorizationPolicy

  • (i) View Account Policy

    • Determines if a customer can view a specific account.
    • Guests (represented by GuestCustomer) are not allowed to view the account.
    • It checks if the customer is listed as an admin for the account.

  • (ii) View Own Account Orders Policy

    • Determines if a customer can view orders associated with their own account.
    • Guests are denied access.
    • It verifies if the customer is part of the account.

  • (iii) Update Account Policy

    • Determines if a customer can update an account.
    • Guests are denied access.
    • It checks if the customer is an admin of the account to grant access.

2. CustomerAuthorizationPolicy Overview

  • (i) View Policy

    • Purpose: Determines if a customer can view their own details.
    • Logic: Guests (GuestCustomer) are not allowed. The customer can only view their own information.

  • (ii) Update Policy

    • Purpose: Determines if a customer can update their own details.
    • Logic: Guests are not allowed. The customer can only update their own information.

  • (iii) Trade Credit Invoice Policy

    • Purpose: Determines if a customer can view a trade credit invoice.
    • Logic:
      • If trade credit is disabled, it falls back to the basic view policy.
      • If trade credit is enabled, but the customer is not an admin of the account, it falls back to the basic view policy.
      • If the customer is an admin, they are authorized to view the invoice.

  • (iv) Convert Policy

    • Purpose: Determines if a customer can convert a guest account to a web-enabled account.
    • Logic: The target account must be a guest account for conversion. The customer must have update permissions on the guest account.

  • (v) Trade Credit Admin Policy

    • Purpose: Determines if a customer is a trade account admin.
    • Logic: Checks if the customer is the admin of any account and if the customer is the specified resource.

3. OrderAuthorizationPolicy

  • (i) View Policy

    • Purpose: Determines if a customer can view a specific order.
    • Logic:
      • Guests (GuestCustomer) are not allowed to view orders.
      • A customer can only view orders that are associated with their own customer ID.

  • (ii) View Tracking Link Policy

    • Purpose: Determines if a customer can view the tracking link for a specific order.
    • Logic:
      • Guests are not allowed to view tracking links.
      • A customer can view the tracking link if the order's customer ID matches their own.
      • If the payment type of the order is 'account', a customer who is an admin of the order's customer can view the tracking link.

4. TransactionAuthorizationPolicy Overview

  • (i) View Policy

    • Purpose: Determines if a customer can view a specific transaction.
    • Logic:
      • Guests (GuestCustomer) are not allowed to view transactions.
      • A customer can view a transaction if the transaction's customer ID matches their own.

5. TrolleyAuthorizationPolicy Overview

  • (i) View Policy

    • Purpose: Determines if a customer can view a specific trolley.
    • Logic:
      • For guests (GuestCustomer), access is granted if the trolley's session ID matches the customer's session ID.
      • For registered customers, access is granted if the trolley's customer ID matches the customer's ID.

  • (ii) Update Policy

    • Purpose: Determines if a customer can update a specific trolley.
    • Logic:
      • For guests, access is granted if the trolley's session ID matches the customer's session ID.
      • For registered customers, access is granted if the trolley's customer ID matches the customer's ID.

  • (iii) Delete Policy

    • Purpose: Determines if a customer can delete a specific trolley.
    • Logic:
      • For guests, access is granted if the trolley's session ID matches the customer's session ID.
      • For registered customers, access is granted if the trolley's customer ID matches the customer's ID.

  • (iv) Convert Policy

    • Purpose: Determines if a customer can convert a trolley.
    • Logic:
      • Access is granted if the trolley's session ID matches the customer's session ID, regardless of whether the customer is a guest or registered.
    Logging: Each method logs detailed information about the customer and trolley to assist with debugging.

Models

In Laravel, a model is a way to interact with your database using PHP objects. It acts as a bridge between your application and the database.

Rules

Copyright © 2026