From f81fb020e0045735ca2ab56b91cc91fdd0de726c Mon Sep 17 00:00:00 2001
From: Mike Scott <ceilidhboy@gmail.com>
Date: Sat, 27 Jul 2024 00:20:09 +0100
Subject: [PATCH] Check for 'all' or 'any' permissions before specific
 permissions (#2694)

Shouldn't the check for `edit all posts` or `delete any post` be done first, before checking if a user can edit or delete their own posts?

The original code checked if the user can edit their own posts and, if so, would return false if they were not the post auther, **even though they had the permission to edit any post**.

By performing the `all`/`any` check first, these permissions still work correctly when the user also has permissions to edit or delete their own posts.
---
 docs/best-practices/using-policies.md | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/docs/best-practices/using-policies.md b/docs/best-practices/using-policies.md
index 504042e0..5afc3602 100644
--- a/docs/best-practices/using-policies.md
+++ b/docs/best-practices/using-policies.md
@@ -49,24 +49,24 @@ class PostPolicy
 
     public function update(User $user, Post $post)
     {
-        if ($user->can('edit own posts')) {
-            return $user->id == $post->user_id;
-        }
-
         if ($user->can('edit all posts')) {
             return true;
         }
-    }
 
-    public function delete(User $user, Post $post)
-    {
-        if ($user->can('delete own posts')) {
+        if ($user->can('edit own posts')) {
             return $user->id == $post->user_id;
         }
+    }
 
+    public function delete(User $user, Post $post)
+    {
         if ($user->can('delete any post')) {
             return true;
         }
+
+        if ($user->can('delete own posts')) {
+            return $user->id == $post->user_id;
+        }
     }
 }
 ```