Laracon, controller middleware, and permissions

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
-Hey, this is Michael Dyrynda.-And this is Jake Bennett.
And welcome to Episode 179 of the NorthMeet South Web Podcast.
I thought it was 180. 179, huh?
Yeah.
-179, okay. Well, hey--Next- next- next week, we'll get to 180.
179 it is, folks. Um,

(00:22):
it is post July 4th, and I'm still sort ofhanging on to the mustache thing here-
-It's fine-... a little bit.
I can- I can... Look, the goatie, th-
-the dirty goatie I can live with.-It- it's okay.
The mustache...
-I'm gonna shave it all off for- for--Maybe, maybe
... Laracon again. And now you're justgonna have to live with, uh, Jake with the
mustache.
Um, no, I'm not actually not gonna dothat. I'm gonna- I'm gonna- I'm gonna just

(00:44):
put it all back to how it- how it shouldnormally be. Um, but in other news-
-I was just--We- we are actually staying at the same
hotel.
-I'm pretty stoked.-Yes, finally.
-Finally, yes.-That- that worked out well in the end.
-It did end up working out well.-Worked out well in the end because
I said back in February, like, "I've bo-bought my ticket, I've booked my
-accommodation-"-Yep, yep.
"... this is the closest hotel." And itended up- ended up- ended up being one of

(01:07):
-the--Yeah, the conference, yeah
... the official, I guess, conferencehotels.
And so by the time you booked, three weeksbefore the event-
Yeah.
-You're like, "There's no rooms anywhere."-Yeah, you were like, oh-
-I wonder why, you know?-Right, yeah. And so they ended up opening
-up, and, uh, yep.-1,200 people-
-So--1,200 people coming in. Yeah, so that
-worked out.-It's gonna be awesome. I'm so excited. We

(01:28):
can do, like, pillow fights middle of thenight, just like-
-Pillow fights.-Yep.
-Yeah, yep.-Just gonna find out whose room is it. We
gotta have- have so many people there.Knock on the doors and just hit people
-with pillows. It's gonna be good times.-It's gonna be a bit like that. It's, um...
Yeah, I looked, 'cause I, um, I messagedMatt, Matt Stouffer, and I said, "What are
we doing for coffee?" Because I know it'sonly three days, but I can't drink

(01:49):
-Starbucks for three days.-Yep.
-Like, that's not an option.-Yep, yep.
I need good coffee. It turns out... Now,whether or not it is good is to be seen,
but it turns out that in that hotel, inthe Vib by Best Western, for those of you
who are staying there, there is a coffee,there's, like, a cafe-
-Nice. Okay, okay-... downstairs in the hotel.
So it- it has, like, a four-and-a-halfstar rating, so I'm hoping-

(02:13):
-Sweet-... that that's good enough.
-That'll be good.-There is also, for those of you staying
there, a taqueria downstairs. So tacos andcoffee, we should be sorted.
Sounds amazing. Yeah, I'm- I'm reallyexcited. It looks like a really nice hotel
-as well. Um, like you said--Mm-hmm
... it's like, I think the closest hotelto the venue of the ones that there are
-on--Yeah
-... that are on there. So, um--Mm-hmm
... yeah, it's- it's gonna be amazing. I'mso excited. I cannot wait. I'm flying in

(02:36):
Monday, leaving Thursday evening. So ifany of you have no plans for Thursday,
meaning you've stayed Wednesday, you didthe afterparty on Wednesday, you slept in
on Thursday, and now it's Thursdayafternoon and you're looking for something
to do, hit me up on Telegram. I'd love tohang out because Michael will probably be
gone by then. Michael, will you be out bythen?
-Yeah.-Yeah, so I'll be leaving at 5:30-

(02:57):
-Yeah, we- we get in at, like, 3:00-... which means I'll have a bit of time
-for lunch.-Yeah.
I'll be able to... I'll be free for lunchif anybody wants to hang out.
-Yeah, we get in at 3:00-ish on--Monday, yep
... Monday, Aaron and I. And then, we weresupposed to leave at 6:00 or something
-like that, 6:00 PM on Thursday.-Yeah.
But our flight got pulled back to 11:00AM.
-Ah.-So we're probably gonna be at the airport

(03:18):
at, like, I don't know, 8:00, just to besafe.
-Yeah.-Just who knows?
Yeah, we can catch coffee. You and I cancatch coffee.
Although I saw recently... Yeah, yeah,we'll be all right. We'll- the- we'll have
plenty of opportunities to- to see eachother over the- the three days-
-For sure-... that- that we're there, but
yeah, I am... I saw- I saw on the news orsomething, there was an article the other
day that, like, tourism is way down forAustralians into

(03:40):
-the US at the moment, like 12 or 15%--Wow, that's crazy
-... on what they were expecting normally.-Yeah.
So I'm- I'm hoping that we have, like, alo- although these- these flights that we
bought were on sale, so they're saledates, so I suspect that maybe they will
be booked-booked. But it'd be nice to seeif there's a bit of, uh,
-bit of space on the plane actually.-Some extra legroom. Yeah, for sure.

(04:03):
-Yeah.-I actually-
-We'll see what happens-... there was a lady sitting in my seat on
the last flight I was on.
And I didn't bother her 'cause, like, itdoesn't matter, there's extra seats. And
so I told the attendant, I was like, "Doyou mind if I sit in another seat?" And
she's like, "Yeah, that's fine." I said,"Why- why don't I just go sit in first
class, it's like it's enough, should I situp there?" She was like, "It's fine with
me." She's like, "But let me check." Andso she checked and the lady up front was
like, "No". I was like, "Come on", so Ijust took an exit seat. It was fine.

(04:25):
-Ah, you tried.-I did try. She was almost, I mean, almost
-had her.-You tried.
-Yep. I was almost there.-Almost. Almost there. Almost got it. Yeah,
we- we definitely for the long haulflights, the, uh, Sydney to Dallas and
then the LA to Melbourne on the way back,we-
-we went for exit seats.-Nice, there you go.
-Aaron and I just--Yeah, some extra room.
Um, and hopefully these are good exitseats because the last time I was coming

(04:48):
back from the US, I went
thinking that it'd be good to sit in the,like, the- the bulkhead row-
-Yeah-... behind the- the bathrooms.
-Yeah.-Terrible idea. Don't ever do that. Because
-number one, the armrests--Oh, no.
Like, the armrests are fixed, so you can'tmove them. So I had, like... I was
uncomfortable the whole time. And youthink because you're at the bulkhead,
there's a bit more room, and there isphysically a bit more room to stretch your

(05:11):
legs out. But the problem is people walkpast there to go-
-Oh, God.-... to the bathroom from the bathroom. So
yeah, no good. So we are on the... We'reby the galley,
um, on the exit- exit row this time, andto, like, the- the- the left of the plane.
So hopefully that'll be a better seat.But I didn't... I looked at even premium
c- premium economy was like $6,000 returnor something like that.

(05:34):
-My gosh.-I said, "Nah. Not."
-Hey, okay, I've got one--No thank you, not for me
... one quick tip for you here
-for sleeping on planes.-Mm-hmm.
Okay?
There is this amazing product called theSleeper Hold.
-Sleeper Hold. Is--Right.
-No, seriously. It was invented by an--Nonsense
-... an MMA guy, a UFC fighter--Mm-hmm
... who had to go on flights and trips andstuff like that all the time. And he was,

(05:57):
like, sick of, like, not being able tosleep well on these- on these trips.
-Mm-hmm.-So he invented this thing called the
Sleeper Hold. Now, I got one at aconference. I was like, "What is this
nonsense?"Oh, my gosh. I will never travelwithout it again. It is amazing, and you
can actually sleep well on flights or onbuses or on-
-Right-... on anything like that- ... that has,
like a rest... Like, a seat behind you.

(06:19):
It is incredible. So if you... I mean,because you're gonna be on these insane
flights, you know, you're gonna be hitting14 and a half hour time difference jet
lag thing,
I would suggest snapping one of these up.Now, they're not inexpensive, but they are
amazing, amazing. And so, um, check itout. Sleeper-
Oh, the travel pillow. Right, right,right, right.
Sleeper Hold. Yeah, yeah. It's a s- it's ano-
-When you say sleeper hold--And I know, and I know, it's- it's not,

(06:40):
-you know, it's not just a travel pillow.-Yeah.
-It's- it's- it's a little bit different.-Yeah, yeah, yeah.
They've got some really good marketing aswell, but I've actually used it and the
marketing holds up. The hype holds up.It's really good. So for any of you
listening who are gonna be going toLaracon, grab a Sleeper Hold. Tell them
Jake sent you, there's no referral code oranything. Sorry, otherwise I would give
it to you. But, uh, they're pretty sweet.Pretty sweet. So...
Right. So this thing, you strap to the...You strap to the seat, and it kind of

(07:04):
holds your head so your face doesn't flopforward.
That's right. Yeah, so you have a littleneck thing that-
-Yeah, cool-... goes behind, just behind the- the,
like, the little dip in your neck, in theback of your neck. You just put the pillow
-there--Mm-hmm
... and then there is a strap that goesaround the back of the seat. And then
there's like a eye mask that kind of goesover the front of your eyes and holds your
head in place up against the back of theseat. And you don't, you know-
-Yeah, right-... those neck cushions, they don't

(07:24):
actually hold your head up, so you- youkind of, you have to try-
-Yeah, yeah, yeah-... lean your head back. It doesn't work
very well. This works amazingly, and Ihave slept like a baby on flights with
-this thing. So, highly suggest it.-I'm, uh... I have sent this to my wife.
-Mm-hmm.-I am very fortunate in that I, generally
speaking, on a flight, will close my eyesand wake up eight or nine hours later.

(07:46):
-That's amazing.-Especially on the way back. Especially on
the way back, because it'll be, you know,three days of go, go, go. We've got the-
the mostly technical party on Mondaynight.
-Yep, Monday night.-We've got after dark on- on Tuesday night,
then there's like... I assume we'll dosomething on-
-Wednesday night, yeah. Did you--... on Wednesday night as well, and then
-we're gonna be up--There's a link, I'll send it to you.

(08:06):
-There's a Luma something.-Yeah, yeah, yeah. I-
-You get that one?-Yes, that was for Tuesday night, I think,
-that one. Yeah, I got that one s--I think that was-
-So, did that, um...-I thought that- I thought that was for
Wednesday.
Let me look.
-Luma after party.-Can you double check?
Yep, I'm looking right now. Tuesday.You're right, it is Tuesday. Yep.
-Mm-hmm.-My bad.
Yeah.
Yeah, so, um, that, and then Wednesdaynight, I assume we'll do something. Go

(08:29):
-grab dinner or something--Yeah, yeah
... with the- with the guys. Anyone who's-who's keen for that.
-For sure.-Um, and then Wednesday we'll be up early,
and then we're just gonna have to try andpower through LA. Um, Aaron and I are
gonna go and do the unthinkable. And Idon't know if we're actually gonna do
this, but I- I joked to Aaron, I said,"So, outside of LAX, there's a Five Guys,
-an In-N-Out, and a Chick-fil-A."-Gotta do it.

(08:51):
And I'm like, "We'll just eat all of them.We'll just do all three."
You gotta do it.
And then, uh, yeah. So
by the time I get on that plane, and- andthis has happened every time I've left the
US for- for any trip that I've been overthere, I'm asleep before wheels up. Like,
before we leave the ground- ... my eyesare shut. I'm out.
Yeah.
-Oh, my gosh.-And they come- they come at like an hour
or- or- or two later, and they're like,"Do you want dinner?" I'm like, "It's

(09:13):
midnight. I don't- I don't want dinner. Goaway."
-That's funny.-"Why did you wake me up for this?" So...
-That's hilarious.-This light- this light keeps on flicking
off and on for some reason, I don't knowwhy. So every now and then I get shrouded
in darkness.
-Well--So yeah, Laracon, uh, this-
Anyway, long story short. Yeah, absolutely
... this will be our last- last North MeetSouth before Laracon. Uh, we've got...
We'll do an episode of Laravel News nextweek. Mm-hmm.

(09:35):
And then we'll be on location.
Is it that quick? No. Oh, no. We will haveone more North Meet South before Laracon.
Okay. Okay.
And then we'll be on location. Yep, yep,yep, yep, yep.
So yeah. A- and then for Laravel News, youand I will be,
uh, running around. You did a day onerecap last year with-
-Yes-... David Hemphill.

(09:56):
-Yes.-Which made- made me feel very slighted,
-uh, that you would--I'm so sorry.
... you would do something like- like that.
I think I mentioned you. I thought Imentioned you.
-You did- you did mention me.-Okay.
But, uh, you know, I will- I will- I'll bethere this time, so you watch yourself.
And so it will definitely be you and me.Yeah, Hemphill. Watch it, you're gonna
-get- you're gonna get a--So yeah, we'll do-
-... shiv.-We'll do a recap day one and we'll do day
two, 'cause there was no day two lastyear.
-Right.-Um, and I think we're gonna go around and

(10:17):
-do some like vox pops--Absolutely
... and speak to people and- and talk tothem as well for Laravel News, so that'll
be a bit of fun. Something- something todo.
-Should be a good time.-So if- if you are interested
in doing that, keep an eye out for us.We'll- we'd love to talk to you about what
you think. I saw Taylor's got like atwo-hour
-keynote at the end of day one.-Wow.
So that'll be- that'll be a bit of fun.And looks like there's a lot of variety in

(10:39):
the talks as well. If you've- if you'veseen the schedule, there's some- there's
some, um, you know, 30-minute talks,20-minute talks. They're all over the
place this year, which- which is good. Ithink- I think mixing things up like that
is- is good for the audience as well. Um,getting a- a mix of lengths and types and-
and all sorts. So
-very excited to get back over there--Yeah

(11:00):
... after, what, six years or whateverit's been.
Yep. It's gonna be incredible to have you,dude. It's been too long. Too long since
we've been able to hang out in- in, uh,the real, right? In 3D.
-Mm-hmm.-So it'll be fun. It'll be lots of fun. Hey
folks, we have a couple different topicsthat I would like to talk about today. The
first one is this. Should you have

(11:22):
a middleware call inside the constructorof a controller? Okay, so
set it up for you.
This is something that used to besupported and I do not think it's
supported anymore in Laravel 12, which isthis. Inside of a controller you can, in
the constructor, say, "This middleware,"and then specify a middleware. And what
this will do is this will apply thatmiddleware to anything that you're going

(11:45):
to be accessing that controller
through, right? Any route that referencesanything that points to that controller,
you can have a middleware in theconstructor of that controller. Okay. Are
you ready?
Think about it for a second. Make up yourmind. Do you think you should put it there
or not?
And
go. All right, what do you think, Michael?

(12:06):
No. And you, you, you posted this theother day-
-I did-... in Telegram, and I-
I'm gonna grab a water while you formulateyour response and, and tell me why I
shouldn't do it, so then I can actuallycome back and tell you why I think you
should. But go ahead.
Yeah.
I mean, Laravel 12, you said you can't doit, so that's, that's as good a reason as
any to not do it. Um, I know

(12:27):
there used to be some explicit reason todo it. Like, you... There was some part of
the request lifecycle that wasn'tavailable inside of
your route definitions, which is why you,you maybe wouldn't have done it
previously. Like, you wanted todynamically apply a middleware or
something like that inside of thecontroller constructor.
The, the reason I don't

(12:49):
like the idea of putting the middleware inthe controller
is kind of similar to why I don't likeusing, um,
events too much. I don't particularly likeusing observers and, and global scopes,
although those things are a little bitmore
-opaque now--Yeah, for sure they are
... because we've got the attributes tosay, like, observed by, scoped by, and all

(13:10):
of that kind of stuff. But I feel like
the routes file is the first place thatI'm going to look in a new application to
see everything that's happening across theapplication. Like, I know what
functionality is available, I know whereto reach it. It's a very quick and easy
way. W- this is the same reason I don'tlike route definitions inside of
controllers using attributes, which is athing that has-

(13:32):
-Fair enough-... like, come and gone in the past.
Because if you want to s- I mean, you canalways do a route list and see the route
list that way, but I think opening up theroutes file and just scrolling through it
and seeing everything that's there is mypreferred method for, for dealing with
that kind of stuff.
When you start putting things in- inside aconstructor, it's, it becomes

(13:54):
less visible.
Um, it... Like, does it still appear inthe route list if you d- define a
-middleware there?-That's a good question. I honestly don't
-know.-'Cause that would be my hesitation.
-I'm not sure.-Yeah. 'Cause that would be, that would be
-another hesitation of mine--I kinda feel like it wouldn't
-... is that you don't know.-I kinda feel like it would not. Yeah.
Yeah.
Um, so yeah, my, eh, I never, I never do.Um,

(14:17):
all of my middlewares are defined insideof
-the routes file. Yeah.-Fair enough. Now that being said, uh, I
mean there are multiple other places wherethere are middlewares being placed onto
things without your knowledge or justexplicitly by the framework. So,
you know, one of those places is in the

(14:38):
bootstrap, uh, app.php file, where you're-
-Mm-hmm-... setting up all your routes and all
those things. And if you use a then, uh,portion of the section there when you're
defining those different routes, then youcan apply middlewares there and things
like that. You know, you can set up a newstack essentially. You have web, you have
API, you have console, which are allgetting set up. You have up, which is also

(15:00):
another one that ships by default withLaravel 11.
But if you have a then, you know, youmight do something like development
routes. Like, if you're in development,you will, then you'd bind these
development routes, and you could put, uh,prefixes or middlewares on it in there.
Uh, there was previously in, you know,previous versions where you had a, a route
service provider or something like that,or the HTTP kernel, you could do things in

(15:22):
-there as well when you'd register those--Mm-hmm
... or when you'd bind those sorts ofthings. And so, it's not like it's only
ever been that the routes file is the onlyplace where middlewares are applied. I
-mean, there's a web--Right.
There's a web stack that's applied bydefault.
-Yeah, yeah.-So
I get the argument that, like, if you canjust go see the web.php, you can see
everything on there, but it's not actuallytrue. Like, there's... That's all the

(15:43):
-things--Mm-hmm
... that you would put on there, but it'sdefinitely not all-
-Yeah-... the things that are on there.
-Yeah.-So, um, I would say that, like, as far as
the user definitions are defined, I agreethat the web.php is where you would go see
all the user-defined things most of thetime. Um, you do have to be a little bit
careful if you're migrating from legacyapplications, and that's the situation
here. That's why we ran into this, iswe've... You know, we've been on this

(16:05):
since Laravel 4, and so this veryparticular application has been upgraded
to 4, 5, 6, 7, 8, 9, 10, 11, 12. And so,12-
-Yeah-... is when it sort of-
-Yeah-... dropped support for it and caused some
issues for us. The one thing I will saythat is helpful, and maybe the reason why,
um, what you were talking about, is likeif you wanted to resolve something out of
the constructor in order to be able toapply that to a middleware or s- pass that

(16:27):
in as something to the middleware, it'spossible that at one point that was not
available. But obviously now you can makeyour own middleware classes and things
like that, so it's not a problem. Um,
but
if there is a middleware that you want toapply to every single method inside of
that controller,
it is possible for someone to miss thatwhen they're defining a new route for that

(16:49):
controller, right? Maybe they don't lookand see the other places. Maybe that
control... Maybe the, the locations where,uh, those are defined are not co-located.
Maybe they're just adding a new one tothe bottom of the list and they don't go
find it. That controller middleware, uh,is not gonna be applied now. And so,
that could be problematic. Now, that's...Maybe there's ways around that. Maybe you

(17:11):
can put an architecture test in place. Butthat was the particular argument that I
had, which was like, it's not necessarilyall bad to be able to define it in the
controller. I can see the arguments forwhy you maybe wouldn't,
-but I don't think it's--Mm-hmm
... I don't think it's that bad. I don'tknow. I don't know.
Yeah.
I'm just trying to look back on when, whenit was actually... 'Cause there's nothing

(17:33):
in the Laravel 12 upgrade guide that Ican see
that's obvious that says this has been
removed. So...
-All I know is it was throwing an error.-Controller middleware.
-Yeah.-Oh no, it's still here.
-It was throwing an error.-Controller middleware.
-Go ahead. Yeah, maybe just--Ouch
-... maybe the way that we defined it.-Oh, you put it... Yeah. So used to be in
a, um,

(17:55):
cons- in the construct method, and now youcan define it as a stat- a public static
method that returns an array inside thecontroller.
I got it.
-So it's still able to be used--And you, and you implement the has
-middleware-... just not in the same way. Oh, I see. I
-see.-Mm-hmm.
Yep. Just not in the same way. Okay. Fairenough.
Fair enough. Middleware may be assigned tothe controller's routes in your routes

(18:16):
file. You may find it convenient tospecify middleware within your controller
class. To do so, your controller shouldimplement the HasMiddleware interface,
which dictates that the controller shouldhave a static middleware method. From this
method, you may return an array ofmiddleware that should be applied to the
controller's actions, and you may alsodefine ControllerMiddleware as closures-

(18:37):
-Hmm, interesting-... which provides a convenient way to
define an inline middleware withoutwriting an entire middleware class. But it
doesn't,
doesn't really say why or when you woulddo this-
-Sharp knives-... which I guess is... You know, sharp
knives, right? Laravel
provides many ways to do the same thing. Iwould, I would posit that doing it inside

(18:59):
of the controller is potentially a less,
um,
what's the word?
Like, a less conventional way of doing it.
-I agree. I do agree with that.-But, you know, it's documented. Um,
yeah. I don- I mean,
yeah, i- for... I wouldn't do it in thecontroller for the same reason that I
wouldn't,
that I don't subscribe to, to doing routedefinitions inside of the controller.

(19:23):
-And that's fair.-Um...
I, I do get that. Yeah, and, and so itsounds like it's not necessarily... Th-
the method by which we were using it isdeprecated, but the, the idea itself-
-Mm-hmm-... is still very much documented and
relevant inside of Laravel. So, fairenough. I, I think that's, uh... You know,
it's again, sharp knives, use them if youwant to, uh, if you don't... If you cut
-yourself--Yeah
... don't complain, right? Just deal withit. So...

(19:45):
Yeah.
It's certainly like a top leveldocumentation item.
-Yeah.-Right? It's
in, on this page, introduction, writingcontrollers, controller middleware. So
it's not hidden. It's not one of thosethings that, like, gets pushed
down the documentation until one day itdisappears and then you know that it's...
It,
it likely won't ever be removed.

(20:05):
Eh, in, you know, the way that Laraveltypically handles deprecations, is just
that at some point
it's determined to be not the bestpractice or, you know, there's another way
of doing it that's, that's moreappropriate or more, uh, efficient or
whatever else. And so the documentedapproach becomes the way to do things, and
stuff that drops out
might get deprecated eventually, you know,in two or three major releases time. But,

(20:29):
um, it typically survives even though it'snot documented. So it's still, still
there as a top level thing. But
yeah, I don't, I don't see where this...I, I'd have to dig to find out, you know,
why you would do it in a constructor.Like, what, what was the documented reason
-for doing it--Yeah
-... essentially?-Yeah. I, I don't even know if I could tell
you in this case. I, I think it... Thisone is honestly just... It was like a

(20:50):
authorization check to see if somebody hada particular role or something like that,
-that's all it was.-Mm-hmm. Mm-hmm.
Like, "Can they do this particular thing?"If they can't do this particular thing,
then there's no reason for them to see theview, the update, the create, the delete.
Th- they shouldn't be able to do any ofthat stuff, like, don't bother even-
-Right-... doing a policy on it. There was...
This was before policies were a thing. Youjust said, "At the controller level,
don't bother, just abort. Before they everdo anything with it, just abort."

(21:15):
Which brings me to my next question.
Um, unless you have anything else youwanna talk about, which I... So, I've got
-one more thing and that's--No, no, go for it.
-Okay. Okay.-Are you... You meant, you, you, you
floated this, like you got in early withthis one, so you've... It's obviously on
-your mind--It is
-... so let's talk about--Yes. Okay. So we talked about this with
the other devs on the team earlier today.Okay. So

(21:36):
I'm gonna try and set up the world for youa little bit and then we can chat. And I
think you can help me point out maybe somep- some potential flaws,
or maybe not flaws but pitfalls that Imight be looking into or that I might need
to investigate and/or better ways tostructure this. Okay, so here it is.
-Mm-hmm.-Let's say I have 20 apps, which I do, and

(21:57):
let's say that each of those applicationshas, currently has their own roles.
And the way that we're checkingpermissions or abilities inside of any of
these locations and inside of any of theseapplications is only through checking of
if a user has a role. Okay? So that is,that is the way that we've done it. Now,
the problem with that

(22:17):
is that the onl- if you only define roles,the only way to give somebody permission
to do something is to assign them a role.
Does this make sense?
-So--Mm-hmm. Yep
... if you have a person, let's say thatthere's a manager who's stepping out for a
week and they have a person on their teamwho's like their number two, right,
assistant to the regional manager if youwill. And they need this , they need this

(22:40):
user to sort of take their place, interim,uh, manager, uh, for a week. The only
way, i- but they really only need them todo one part of their job, which is that
they need to run this report every day andsend it to the CEO. Let's say that's the
-deal.-Yeah.
Right? That's it. That's all they need todo.
But because the only way to give them thatpermission is to assign them that role,
in addition to getting the ability to runthe report, they also get the ability to

(23:02):
put in coaching entries or reprimand otherpeop- or s- read entries for other
teams', um, employees or team members thatare on that team, right? Not what you're
-asking for, not what you're looking for.-No.
Certainly, like, not a least privilegedsituation. And so what we're running into
is that we have people who havepermissions that they should never have
just because they were given themtemporarily and then they were never

(23:25):
removed. Right? So the only way that wecan catch this is if we do these audits,
which we end up doing, but it's a big painin the neck. And there are ways, there
are better ways to do this. So,
I'm gonna ex- I'll explain to you sort ofour proposition and then I'll continue to
kinda go through how we wanna manage it.The proposition is in any place where we
have a HasRoleCheck, we're gonna removethat HasRoleCheck and we're going to name

(23:48):
the thing that they're trying to do atthat check. So, instead of
HasRole, we're going to s- HasRoleManager,we're gonna say CanRunReports. In that
spot, that one spot where they check tosee if they ha- if they're a manager.
Instead we're going to say name that thingthat they're trying to do, they're trying
to run a report, and then we're going toask the question User CanRunReports.

(24:11):
Right? Okay. So we're going to change itfrom a role to a permission or ability.
Permission and ability are the same word,essentially. Which do you prefer?
Mm-hmm. I I think the, the general advice,like the 90%, 95% use case, is to assign
-roles and check permissions.-Okay. Permissions.
It's certainly the way that, that weoperate, is that we will always check that

(24:34):
-the user can do something.-Yeah. Okay.
We would never... Well,
I say never. In our modern stuff , in ournew stuff, it's always a permission check.
Okay.
Uh, or a policy check or whatever else.Previously, in our old code, it w- it was
-base... Like, we would assign roles.-Yeah. Yeah.
We had a permissions table, but p- butpermissions were never implemented, so it

(24:56):
was always like, "Is... Does this userhave a role?"
-Yeah.-We would always check are they an admin,
-are they a manager.-Yep.
Are they a group manager. We had, um...And, and like you say, that then means
that that person has access to everything
that that role enables them,
um, whereas you want, typically, I think,your permissions to be as granular as

(25:19):
possible.
Yes. The... Yes, correct. I agree with allof that. Um, my question specifically is,
when we're talking about that, you'reusing the word permissions to talk about a
granular level thing that they can do.Another word that I've heard used for that
-is ability. So, my question is--Mm-hmm
... for the remainder of our discussion,would you prefer me call them permissions
or abilities?

(25:41):
It depends on what you... If you're justusing Lyro stuff, I'd call them
-permissions.-Okay. So, yeah, permissions. And that's
-what my guys sort of said too. They said--And you-
... "Oh, we like to call them permissionsinstead of abilities." 'Cause I've called
-them abilities--Yeah
... in the past, and I th- we can callthem-
-Yeah-... permissions. That's fine.
-It's a bit... Like, I think bouncer?-Yes.
'Cause I know you've used bouncer in thepast.
Well that, well that's because ofabilities.
Bouncer refers to the roles and abilities.
-Yeah. Yeah.-Yeah, right. Um, I think... How would you

(26:01):
-think about this?-And then there are no permissions, we're
first giving out permissions.
Yeah.
Like, you have permission to do something,but you have the ability
to
-enact that, that something, right?-Yeah. Yeah.
So, I think it depends on which way you'relooking at... You know, is the user
the one that... You know, does the userhave the ability to do this thing?

(26:26):
-It--I know. They're, they're synonymous.
-The user has the ability--They're synonymous. Yeah.
Or does the user have the permission?Yeah.
Yeah. And so, I'm just trying toestablish, like, uh, the domain language
for our team, like, whether we're gonna beusing the word ability, permission. I've
-used the word ability--Yeah
... but I think we're switching over tousing the word permission.
Sounds like if the rest of your... Yeah, Iwas gonna say, it sounds like if the rest
-of your team--Yeah
-... is using permission--Yeah, that's the word that they would like
-to use-... then, then you're using permission.

(26:47):
-Agreed.-Um, and like I said, I, I think the, the
fact that
ability is in your head is probably owingto the fact that you used-
-100%-... that you've used bouncer in the past
-as well.-Yes, it is.
But, like, the Sparcy, Sparcy has apermissions package.
-Yeah.-I think generally when people speak about
-it, it's permission rather than... Yeah.-Yeah. Okay. So,
we've got permissions, right? In everyspot where we're doing the HasRole, we're

(27:09):
going to check, uh... Instead of HasRole,we're gonna say HasPermission essentially.
Think about it that way, right? So, we'regonna make everything very granular, and
so our application will check forpermissions. Now,
the second part of this is imagine thatacross those 20 apps, you know, every app
has its own set of permissions that, thatare a part of that, right?

(27:32):
-Now--Mm-hmm
... who manages those permissions is thequestion. Who gets to manage those? Well,
I will tell you, my preference is that Inever ever manage those. I want my team to
write the code that enables people whohave that permission to do that thing.
-That's what I want my team to do.-Mm-hmm.
But I do not want my team to managepermissions. I want the IT staff to do

(27:55):
that.
-Um--Right
... and
for them,
even only in a limited capacity. So, um,
what I would like to have happen then isif you can think of a
different application... So you have these20 applications that live on the bottom
level there, and all those le- all thoseare doing is they're checking for
abilities. So, there is essentially no,

(28:17):
no concept of roles anymore in those.We're gonna rip those out of that
application. No roles anymore. It's justpermission checks. We're gonna go up a
layer, and now you're gonna have anapplication, uh, one layer above that
knows about all the different applications
and then knows about all the differentroles in those applications, and then

(28:38):
groups together different permissions forthose particular roles.
-Mm-hmm.-Does that make sense? Now, that
application that sits above that is activedirectory, essentially, is the idea,
-right?-It's exactly what that is. Yeah.
I mean, that's what it is. And so, and sowhat we're thinking is, like, why reinvent
the wheel on that? E- essentially what wedo is we have a user,
and that user will have a job function,which is essentially their job title,

(29:03):
right? So if I have a banking manager,
um, that banking manager is going to havespecific permissions inside of each of
those 20 different applications, right?Inside of some of those applications, they
may have a role of manager. So, like inthe case of, like, coaching, right?

(29:23):
-Mm-hmm.-Because they're a manager, they're going
to have likely a coaching manager roleinside that application, but the
application doesn't know anything aboutthat. All it knows about at the end of the
day is which permissions that user wasgranted when they come in.
The way that this will be structured thenin Active Directory is you will have a
coaching_,

(29:45):
so it's actually namespaced in ActiveDirectory. App_coaching, which is the name
of the app, _role or ability. So,
app_coaching_manager. That's the role,right?
-Mm-hmm. Mm-hmm.-And then nested underneath that
would be additional security groups thatwould apply to that particular role,

(30:07):
right? So app_coaching can add newcoaching log.
App_coaching-
-Yep-... can run coaching reports.
And those abilities may only live underapp coaching manager, but they also may
run under... May live under app coachingadmin.Right? So those abilities have
basically a one-to-many relationshipbetween-

(30:29):
-Mm-hmm-... those, uh, those different security
groups. Okay? And then each user would getassigned to one of those security roles.
Okay. The reason why that's all importantis because
when a user is created in the system, theywill get a single
set of
roles. That's it, that's what they get.They get the ones that belong to their

(30:51):
particular job function and nothing else.
-So if--Mm-hmm
... that user that was previouslymentioned needs to take over for their
manager for a week to run that report,
instead of giving them
app_coaching_runreport, or sorry, a-app_coaching_manager, they would get the

(31:12):
ability of app_coaching_cannrunreport.They would get that single ability rather
than the manager role. Now here's thereally interesting thing.
We are going to say that anybody who needsan additional permission outside of the
ones that apply to their specific role,they only get a lease on that permission.

(31:33):
-Yeah.-Does that make sense? So it's-
-Yep-... expiring, meaning that they can ask
for it for a period of time, and thenafter that, it goes away. It gets removed-
Yeah
-... from their user--Yeah
... so that we don't end up with this messof what we're talking about, where a user
gets a permission and it just is signedforever. So you have somebody who started
in one team and they've moved three times,and now they have inherited permissions

(31:53):
for every single team they've ever beenon.
-Yeah. Mm-hmm.-Which is a freaking disaster mess.
-Um--Yeah
... and it's really unclear what theyactually still need and what they don't
-because they were never removed.-Mm-hmm.
-Yeah.-And so
that's the big picture of what we'retrying to-
-So--... accomplish. Yeah.
Mm-hmm. So are these, the expiringpermissions, are they being managed inside

(32:14):
of Active Directory, or are you doingthat, like some scheduled task that goes
through and, and cleans up thesepermissions where expiry date is in the
-past?-Yeah, you got it. And so it's actually a
little bit silly. We're using AD LDAP, soActive Directory-
-Mm-hmm-... L- LDAP. What is, uh, listing
directory? I don't know. It's, like, thatprotocol basically that lets you-
-Yeah, yeah, yeah-... talk to those things.

(32:35):
-Yeah.-And what we do is when somebody wants an
additional permission, we can say, "Okay,they want..." You know, select the
application you're trying to getpermissions for. Coaching. "All right,
here are all the ab- roles and theabilities that are available for you to
lease." "Okay, I want to be able to runthe report." "Okay. When does it, when
does it expire?" "It expires in, in aweek." And then they say, "Okay, request."

(32:55):
Their manager has to look at it, approveit, and once their manager approves it, it
will then
send that off to our auth application, andthen that thing actually adds that, uh,
group...
-Uh, sorry, adds that user--Mm-hmm
-... sorry, to that group.-Yeah.
And then
it will, you know, check the end dateevery day at 7:00 AM, and when the end day

(33:19):
hits, it will remove that user from thatgroup. And then when they log in the next
time, it will look at the AD groups thatthey are a part of and it will remove the
ability that they previously had, uh, whenthey logged in-
-Right-... last time.
-Mm-hmm.-So that's the idea. Now the, the big
challenges that I'm running into here isthat this top level app,
uh, that's going to help manage all thesethings has to be aware of all the

(33:41):
different mappings that I have for theseabilities inside of all these different
-applications, which is--Yeah
... that is the pain, but I don't reallyknow of a better way to do it if I don't
-want--Yeah
... my team to manage it.
Yeah. And it also means that anytime youadd a permission
somewhere, you've gotta do it in twoplaces.
-Yes, correct.-You've gotta do it in the app, and you've
-gotta do it in the--Active Directory

(34:03):
-... the overseer--Yeah
-... as well.-Yeah.
Yeah.
But yeah, I mean, and, and expiringpermission is a good way to, to deal with
it, I think, especially from a complianceperspective.
-Yeah, exactly.-You know, no one should have access to
things that they shouldn't have access to,so having that-
-And we can see when they requested it-... That's amazing. And it's like...
Yeah. Yeah, if you're keeping audit trailof it, that's, that's gonna be helpful for

(34:24):
that kind of stuff as well, 'cause youknow that no one's got access to anything
that they shouldn't. And if they do, youknow, they shouldn't typically have access
to it. You know when they requested it,when it was approved, by who, and when it
was removed. And, um,
yeah, I mean, it's no different to howwhen you create GitHub tokens and things
like that, you can request for it to be,you know, seven days or 30 days or 90 days

(34:46):
or, or, or unlimited. And as much as itannoys me every 30 days to have to, to
-roll a token--I know, right
... I think probably having a, a 30 daytoken is, is still the, the correct answer
for most things.
-Yeah, there's, um, the--Spreaker. Spreaker on the pitch.
Yeah. Oh, he's
...
He-
he's got his, uh, he's got his pajamas on.Harrison, you wanna say hi

(35:07):
real quick? Come here. Come here. Yeah,that's fine.
-The baby of the bunch.-Har- come say hi here. Hold on. Hold on.
Let me put your head phone.
-Look at him.-Say, say hey, Michael.
Hi, Michael. So big.
Hey, man. How you doing?
He's s-
-He's doing good.-I remember the, the last time I saw him
was teeny tiny in a pram
in New York.
-That's how long ago that was.-Oh, that's right. Dude, that was Laracon.

(35:30):
-No, look at him.-Harrison, you were in Laracon.
-Yeah.-You were at Laracon with us at eight weeks
old, remember?
You don't remember.
-I don't remember.-No, he don't remember. All right, say,
say, "Hello world."
Say it l- nice and loud to everybody.
Hello world.
-There he is.-I love the eye roll. Sorry.
Sorry. Bye, Harry.
Um,
so, uh, yeah, what was the last thing Iwas gonna s- oh, here's the other piece of

(35:54):
this which is really interesting, Ithink.
Um, if, so
when a permission is about to expire, wecan send an email out and say, "Hey, you
have this permission which is about toexpire. If you need to extend your lease
-on it--Mm-hmm
... you can request, uh, an extensionhere." And they could click it. It could
-fire--Yeah
... off that extension request, and thentheir manager could approve it again, and
then it could happen. Right. So I think itre- and so what that allows essentially,

(36:17):
is that allows me to not only actuallyremove the burden from my software
development team, it actually also removesthe ability of my IT guys to get
involved. They'll have to add newpermissions-
-Mm-hmm-... but they should never really have to
get involved in the modifying ofpermissions outside of-
-Yeah-... if we need to add a default permission
to a particular job function or job role.Right? Um...So it'll be a little bit of

(36:41):
like a hand in glove situation where we doneed to work closely with them on some of
those things. But as it is right now,it's sort of a pain the neck because
they'll have to message one of thesoftware devs and be like, "Hey, somebody
said they need to run that report. Whatrole do they need?" That's, that's...
'Cause there's, it's not transparent tothem at all-
-Yeah-... what, what roles are needed for what
particular abilities. And so
it's just we're trading problems, and Ithink it's a better solution.

(37:03):
Yeah.
-So.-So two, two things that I just thought of.
Number one, um, how easy are you makingit? So if I have to go and request
permission to do some report, is it fairlyobvious that I'm like, "This is the
permission that I want"?
-Right. Like--Are you naming them in such a way? 'Cause-
Yeah
... most, most permission stuff would betransparent to... I mean, maybe managers

(37:26):
know what the permissions are. You know,there would be some level of knowledge
there depending on their technical skill.But for most, most workers, I would
imagine that they don't know what they'reasking for.
That's agreed. That- that's true. And Ithink right now, it's completely obli- n-
-nobody knows. There's no good catalog--Yeah
... of abilities, right? And so what wewould have to do as part of this is we'd
have to... You know, we'd give it a goodname, and we've got a convention that

(37:49):
we're using to convert the abilities, um,
to good named AD security objects. Andthen we need to give good definitions to
them as well. A- and so that'll be partof-
-Yeah-... the process of converting these over,
is just making sure that we give gooddescriptions of what they are. And then
we'll probably have to do something like apackage, honestly, something that's going

(38:10):
to help to coordinate the differentabilities between the different
applications. Or we'll have to create anendpoint that lives on these applications
where they can be hit and queried, andthen they can return back those, those
pieces of data. 'Cause I really don'twanna have to
update...
I- I don't wanna have to update a packageevery time I wanna add a new ability. I

(38:31):
-don't wanna have to do that. And so--Right
... I think if we just created an endpointthat was like, "Hey, give me all the
different ability. Give me, give me yourpermissions catalog," and it could, it
could say what those are, then we can justessentially advertise that and, you know,
use an API token, go grab the abilities,uh, the abilities catalog, and then, um,
push those into a config item or somethinglike that. You know what I mean? I'm not

(38:53):
-using the--Yeah
-... right wording here, but that--Yeah
... that would be the idea. So yeah, that,I think-
-Yeah-... that would be how you'd do it. You
would try and make it as obvious as wecould. So that was, that was number one.
Yeah.
-And you had number two.-Um, I think the, the other thing, the
other thing was, you know, if, if youneeded to request an extension... I mean,
you, you said at the top that
people would be asking for permission todo something because their manager is

(39:15):
-going to be away. So if they need--Ah
... to extend that, who's, who's approvingthat?
-Yeah, no.-Because the manager's obviously, you know,
-away for a bit longer, so there's--That's a good-
-... that's something to consider as well.-That's a good question. Um-
Like, someone would have to approve it,
-um--Yeah
... and they would probably... Like, Iwould, I would say that that is more the
exception than the norm, where maybe, youknow, your team or IT would have to step

(39:36):
-in and go--Yes
... "Well, they had it."
Yeah, typically, that, that has happenedbefore.
-But then you'd have--Yeah, where, where we would have somebody
-who's away--And I think you would probably have some
-rules around that as well.-Yeah.
Like, you can only request one extension,or the extension can only be for two days
-or something like that.-Yeah.
And we did a, we did a similar kind ofthing with,
um, like invoices. When you've got anoverdue invoice, you can request an

(40:00):
extension. And so the, the frontline staffwould have permission to request an
extension, and there'd be, there was aseries of rules. Like, you could, you
could ask for s- uh, 14 days or sevendays, but you could only ask for each
once. So initially, you'd get like a14-day buffer. And then if you had already
asked for 14 days, you could only ask fora seven-day extension from there.

(40:20):
And then there was like... that was it.And that was, like, enforcing business
rules ar- around those kinds of things.Because there's also this expectation of,
um... This was in telecommunications, sothere's, there's a whole code of practice
around, um, not
l- allowing customers to get, you know,dig themselves into debt-
-Yeah, yeah-... over these kinds of things that, you
know, you would have to, you'd have to cutthem off. You wouldn't be able to keep

(40:43):
extending them so that you didn't keepcharging them for a service that they
-clearly can't pay for or--Yeah
... or had no interest in paying for. So,
um, yeah, maybe something like that where,you know, you get one,
one, um, bump. You know, it gives you anextra three days or something.
And then beyond that, you have to ask fora whole new thing.
-Yeah.-Um,

(41:04):
that, you know... Yeah, w- what that lookslike for, for your organization and, and
how you implement that or what the, whatthe business rules around that is,
you know, up to, up to you guys. But itmight be one approach that, that could be
-suitable.-It's a good idea to have a maximum number
of, um, extensions that you could dothough. I think that's a great idea. It's
-not something--Right
... I'd thought of before. 'Cause yeah,otherwise you could just have somebody

(41:27):
continue to request extensions and justkind of go that way. And-
-Mm-hmm-... that does defeat the purpose a little
bit, especially if we have, like,long-term leases.
You could ask for a new... Yeah, but youcould, you could ask for a new-
-Correct-... extension.
-Yes. Absolutely. Yeah, you--But it would, like, you couldn't just, you
couldn't have like a seven-day extensionfor the time that manager's away, and then
you would just ask for like... I wouldjust top that up for another three days,

(41:47):
-another three days--Yeah
... another three days. Like, you wouldwanna set a cap on that.
-Yeah.-But if they, there was genuinely a need
for it, you know, if the manager haddelegated the responsibility of running
that report to someone else, then, youknow, that would just have to request that
-permission, you know--Absolutely
-... and say, "Okay, yes-"-And we have, I think the solution-
"... let's do it again. Here's anotherseven days or here's 30 days now."
Yeah, the solution in that instance wouldbe like these long-term leases that we

(42:07):
-would have, that would be like--Mm-hmm
... you could request up to like asix-month lease or something like that. If
-you're--Yeah
... if, you know, in some instances, maybeit'd go through an additional approval
process or something where it's like, "Whyare you asking for a six-month approval?"
Mm-hmm.
Uh, you have to have the approval oftwo... Or sorry, a six-month lease, you
have to have the approval of two people inorder to get that or something. Um, and
if it was gonna be made a more permanentpart of a role or delegated to somebody

(42:27):
else, then we might need to make anadditional layer, an initial role, like a
training, uh, assistant. You know what Imean? Something like that role. And then
they just get that ability as well. Um,but again, the nice thing about this is
that if we needed to make that role, wewould not have to be involved with that at
all. That decision can be made higher upthe chain-
-Mm-hmm-... and we just check for the ability.
-Yeah.-So it's really nice.

(42:49):
-Yeah.-It allows the IT teams-
-Yeah. The roles can be created whenever.-You got it.
Yeah, roles can be created whenever, aslong as they're composed of existing
-permissions.-You got it exactly right. And so I think
that really frees them up to do a lot ofwork. Now-... um, the, the trick is naming
the abilities well, and then the secondtrick is making sure that they kinda stay
in sync across this, uh, orchestrating,uh, entity that, th- that sits above it.

(43:13):
And so...
That's it. That's it, but I, I think, Ithink that works. Um,
and I think we actually might be able toget away without using permissions or
bouncer, Laravel permissions or bouncer,actually. Because we already have...
-Mm-hmm-... a process by which when a user logs
in, we look at all the security groupsthey're a part of, and we can inspect that

(43:34):
and assign permissions,
uh, it's basically just an array. It'sjust an array of permissions-
-Yeah-... which would be an enum cast
of, you know, w- of AD groups, AD securitygroups mapped to named permissions. And
we'll just cast them to an enum on thatuser and that's it.
-Yeah.-There's no, there's no need for, like,
-this one--Yeah, I think-
... to many whatever, because we're notgonna do roles inside of the application.

(43:56):
Right. Yeah. I think if, if thepermissions for your application are
coming from something like ActiveDirectory, then there's, there's no need
to
-layer the package on top.-Agreed.
As long as you've got some way oftranslating those things into... You know,
I mean, you could d- dynamically registerpolicies or whatever else, or, or gates
-and things like that--Mm-hmm
... based on this. And then, whether youcache that, you know, for

(44:19):
24 hours, do you cache that just for therequest, like do you use-
-It's... Yeah, just for the session-... it once or whatever?
-Yeah, it's just... Yep.-Yeah.
Yeah, and when they log in again, it doesthe check again. So it, it goes and talks
to AD and says give me the list of, uh,security groups they have.
-So you're not--Yeah.
So how are you, how are you dealing with,like, changing in permissions if, if
-someone like--Doesn't log in?
-... has a permission unassigned--Yeah, right

(44:41):
-... while, like, during a session?-This is a good question. And, and this is-
Are you-
I don't have a good solution to this. Thisis a good, this is a good question to
ask.
So, wh- what I will say is like right now,and the way that they've had to do it,
like if they've had to add a permission isthey'll add the permission and then
they'll ask the user to sign out and signback in,
right? They sign out, they sign back in,when they sign back in-
-Yeah. Yeah, adding, adding is fine.-Yep.
Because someone, because someone wantsthat, I want extra things-

(45:02):
-Yes-... yeah, I'll do, do the work to sign out
-and sign back in.-Exactly. Now, the question is-
-But if you are having some permission--... do we revoke that?
-... revoked.-Yeah. Yeah.
-Yeah.-Now, the way that we've got it set up
-right now--Or, or if, or if it's a lease that it
-expires--Yeah
... like it's gonna have to log you outsomehow.
Yeah, so the way that we do it right nowis, yeah, the thought is that we expire
the lease at like 6:00 AM. So at 6:00 AMon that day we say it should expire this

(45:23):
day, we revoke it. And if they haven'tlogged in that day, which it's very
unlikely that they have, then when theylog in that day-
-Mm-hmm-... the permission will be revoked. Now,
in some weird case where we needed torevoke a permission for somebody
in the middle of the day, which I, I don'treally see that happening. We don't
typically get requests to take permissionsaway. We get plenty of requests to add

(45:45):
permissions, but almost never. The onlycase I can think of where we say like we
would revoke permissions would be whensomebody's getting terminated.
-You know, that happens.-Mm-hmm.
-But typically the way that that works is--Yeah
... a manager will set a time to say,"Hey, at 1:00 we're gonna have the
conversation with this person, we need toterminate this user at 1:00." And so
they'll pull them in, the IT teamschedules the termination for 1:00, they

(46:06):
then revoke that user's access and then bythe time they get back to their machine,
it's locked and they can't get logged backin and it's fine. So-
Yeah.
I don't... It's, it's a, it's aninteresting question to posit but I'm not
sure
that it's a critical component of what I'mhoping to accomplish. I, I don't-
-Yeah.-I don't know.
Yeah. And, and I assume in an organizationlike yours you'd have a risk register

(46:30):
somewhere, and these are the kind ofquestions that I sit there and I come up
with and I send it to the risk team, andthey put it in the risk register and we
say, "Okay, we know about this but wedon't care about it."
-Yeah, exactly.-And as long as it's in the risk register-
-Yes-... you know, it has been raised, it is,
you know, we've decided that it's notsomething that we're terribly concerned
-with, fine, but it's been noted.-Exactly. We mark it as an acceptable risk.
And it's better to have something on the

(46:50):
-risk register--Yes.
Yeah, right, yeah, yeah. And it's better,
for those of you listening who are in, insmaller organizations or you're, you know,
on your own or whatever,
it's probably fine, you don't have toworry about it. But in, in big
organizations especially those that are,you know, ISO 27001 or their SOC 1, SOC 2,
whatever else, these are the kinds ofthings that it's, it is okay

(47:14):
to have these kinds of things sat on arisk register and you just say, "That's a
low risk, medium risk, it's acceptable,"you know, we don't care about it but we,
b- but you still need to think about thesekinds of things.
-Absolutely.-And then what you do with it is you just,
you decide, is it something that I needto, to put into code to protect against?
Or, is it okay to just, just toacknowledge that yes, that is something

(47:36):
that we are aware of, but we're notworried about it being an actual concern?
Yeah. I- so the two words that wetypically use in those instances is that
we would say number one, it's a known,it's a known risk but it's a,
it's A,
it is an acceptable risk, and B, here is acompensating control.
Auditors love that phrase, a compensatingcontrol which just means we're aware of

(48:01):
this issue but we're solving it in adifferent way. So we would say the
compensating control is referenced usertermination policy line 15, right? Where
it says, uh, you know, all userterminations will happen within 15 minutes
of a termination request or at thescheduled time requested by the manager.
And then you, you know, you basicallyreference, hey, here's the pla- place

(48:22):
where we say this is how we do it and thisis why it's not a concern. That the
application handles it because our processhandles it this way. Um, and so anyway,
those, those are good points to bring up,especially when you're trying to do those
things, SOC 1, SOC 2. If an auditor bringsthat up and you don't have a solution for
it like in code, i- if you have asolution for it in policy, um, then that's

(48:43):
usually good enough, so...
Yeah. Yeah.
-Well folks, that's all I've got.-Cool.
Michael, you got any... Uh, thanks foryour help on that. I, I appreciate you
thinking through that with me. Um,
I think we're gonna move forward with thatand I'll let you know kinda how things
go, uh, on that front. But, I think it'llbe good. I think it's definitely gonna be
an improvement over what we've been doing.

(49:05):
-Yeah. Yeah, I think so.-Yeah. Yeah. So...
For sure.
All right my friend, Episode 179 of theNorth Meets South web podcast is in the
books. If you'd like to find show notesfor this episode find them at
northmeetsouth.audio/179. If you'd like totalk to us on Twitter, on X, on all the
things, hit us up @michaeldurant,@jacobbennett or @northsouthaudio. And if

(49:26):
you liked the podcast we'd reallyappreciate it if you'd rate it up in your
podcatcher of choice, five stars would beabsolutely incredible. Folks, we hope to
see you at Laracon, please say hello. Wewould love to talk to you in person. We
don't get to see any of you. Typically,for us this feels like speaking into the
void. It feels like nobody's listening tothis ever until we get there and we hear
from all of you wonderful people. It's anencouragement every year to keep going-

(49:49):
-Oh-... and keep doing it, because...
I, I, I enjoy it. I think it's, it's goodto know that people do listen but it's
-also a very bizarre experience.-Mm-hmm.
Because people know so much about you andyou're like, "Hello person."
Oh, that's so funny.
-Yeah.-Don't let that deterr- d- don't, don't let
that deter you from doing it though, Ilove, love to meet the people. Um, and
it's been, you know, like I said, sixyears since I got to meet the people.

(50:12):
-Absolutely.-So. Except for those of you who are kind
and caring enough to come all the way downto Laracon AU.
One of these years I'm gonna get therefolks.
All right everybody.
Till next time, we'll see you.

All Episodes

Episode Transcript

Popular Podcasts

Crime Junkie

24/7 News: The Latest

Stuff You Should Know

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Laracon, controller middleware, and permissions

Episode Transcript

Popular Podcasts

.css-r6mb8g{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:1;overflow:hidden;}Crime Junkie

24/7 News: The Latest

Stuff You Should Know

All Episodes

Laracon, controller middleware, and permissions

Crime Junkie