Laravel Scopes Laravel Package

Product Decisions This Supports

• Feature Development: Accelerates implementation of role-based access control (RBAC) and data ownership for SaaS platforms, marketplaces, or multi-tenant applications. Reduces boilerplate for common queries like:
  • "Show me only my owned records"
  • "Fetch public records + my private records"
  • "Admin-only visibility overrides"
• Roadmap Prioritization: Justifies investing in authorization layers for new features (e.g., user dashboards, shared resources, or collaborative tools) by cutting ~30–50% of query-writing time.
• Build vs. Buy: Avoids reinventing scopes for user-owned models (e.g., Post, Invoice, Project). MIT license enables customization without vendor lock-in.
• Use Cases:
  • SaaS: Tenant-specific data isolation (e.g., User::where('tenant_id', auth()->id())).
  • Marketplaces: Seller-only visibility for listings (e.g., Product::where('seller_id', auth()->id())).
  • Internal Tools: Employee portals with departmental data access.
  • Public APIs: Filtering resources by is_public status (e.g., BlogPost::public()).

When to Consider This Package

• Adopt if:
  • Your app uses Eloquent models with user ownership (e.g., user_id foreign keys).
  • You need consistent visibility rules (e.g., "users see their own data + public data").
  • Your team lacks dedicated backend security expertise but needs quick, maintainable auth.
  • You’re building a Laravel monolith or microservice where scopes reduce coupling between controllers and queries.
• Look elsewhere if:
  • You require fine-grained attribute-level permissions (e.g., "Edit title but not content") → Use Spatie’s Laravel-Permission or Gate/Policy hybrids.
  • Your data model is non-relational (e.g., MongoDB) → Implement custom query builders.
  • You need audit logging for scope changes → Pair with Laravel Audit or Sentry.
  • Your team prefers declarative policies over scopes → Stick to Laravel’s built-in Gate/Policy system.
  • You’re using Laravel Nova/Vue Testimonials → These may have built-in scope equivalents.

How to Pitch It (Stakeholders)

For Executives:

"This package lets us ship secure, user-specific data access faster—without hiring a security specialist. For example, if we’re building a freelancer platform, developers can add use HasOwnershipScope to a Project model, and instantly restrict queries to only the current user’s projects. No more SQL injection risks from manual WHERE clauses, and it integrates with our existing Laravel policies. The MIT license means we own the code, and the ~10-minute setup pays off immediately for features like dashboards or shared workspaces."

For Engineering:

*"This solves a common anti-pattern: scattering where('user_id', auth()->id()) across repositories. The package gives us:

• DRY scopes: Replace repetitive if (auth()->can('view')) blocks in controllers.
• Policy compatibility: Works alongside Gate/Policy for hybrid auth (e.g., can('update', $post) + HasOwnershipScope).
• Testability: Scopes are unit-testable independently of business logic.
• Future-proof: Add HasPubli... or HasTeamScope later without refactoring.

Tradeoff: We cede zero control over query logic (it’s still Eloquent under the hood), but gain consistency and developer velocity. Let’s prototype it on the Invoice model this sprint."*

Call to Action: *"Approved? I’ll:

1. Add it to composer.json and publish the config.
2. Document the scope usage in our auth guidelines.
3. Demo the Project model integration in the next standup."*