From 7c0d53c7960d4cb6663e19cd10e0f1e32a87fefe Mon Sep 17 00:00:00 2001
From: MartinOscar <40749467+rmartinoscar@users.noreply.github.com>
Date: Sun, 7 Dec 2025 19:53:13 +0000
Subject: [PATCH] Use `Policies` rather then overriding `can*()` functions
 (#1837)

Co-authored-by: Boy132 <mail@boy132.de>
---
 .../DatabaseHosts/DatabaseHostResource.php    |  2 +-
 .../Admin/Resources/Mounts/MountResource.php  |  2 +-
 .../Admin/Resources/Roles/RoleResource.php    |  2 +-
 .../Admin/Resources/Users/UserResource.php    |  2 +-
 .../Resources/Webhooks/WebhookResource.php    |  2 +-
 .../Resources/Activities/ActivityResource.php |  6 ----
 .../Allocations/AllocationResource.php        | 21 -----------
 .../Resources/Backups/BackupResource.php      | 16 ---------
 .../Resources/Databases/DatabaseResource.php  | 26 --------------
 .../Server/Resources/Files/FileResource.php   | 23 ------------
 .../Resources/Schedules/ScheduleResource.php  | 26 ++------------
 .../Server/Resources/Users/UserResource.php   | 21 -----------
 app/Policies/{ => Admin}/ApiKeyPolicy.php     |  2 +-
 .../{ => Admin}/DatabaseHostPolicy.php        |  2 +-
 app/Policies/{ => Admin}/DefaultPolicies.php  |  2 +-
 app/Policies/{ => Admin}/EggPolicy.php        |  2 +-
 app/Policies/{ => Admin}/MountPolicy.php      |  2 +-
 app/Policies/{ => Admin}/NodePolicy.php       |  2 +-
 app/Policies/{ => Admin}/RolePolicy.php       |  2 +-
 app/Policies/Admin/ServerPolicy.php           | 10 ++++++
 app/Policies/{ => Admin}/UserPolicy.php       |  2 +-
 .../WebhookConfigurationPolicy.php            |  2 +-
 app/Policies/DatabasePolicy.php               | 10 ------
 app/Policies/Server/ActivityLogPolicy.php     | 21 +++++++++++
 app/Policies/Server/AllocationPolicy.php      | 36 +++++++++++++++++++
 app/Policies/Server/BackupPolicy.php          | 31 ++++++++++++++++
 app/Policies/Server/DatabasePolicy.php        | 36 +++++++++++++++++++
 app/Policies/Server/FilePolicy.php            | 36 +++++++++++++++++++
 app/Policies/Server/SchedulePolicy.php        | 36 +++++++++++++++++++
 app/Policies/{ => Server}/ServerPolicy.php    | 10 +++---
 app/Policies/Server/UserPolicy.php            | 36 +++++++++++++++++++
 app/Providers/AppServiceProvider.php          | 18 ++++++++--
 32 files changed, 278 insertions(+), 169 deletions(-)
 rename app/Policies/{ => Admin}/ApiKeyPolicy.php (77%)
 rename app/Policies/{ => Admin}/DatabaseHostPolicy.php (95%)
 rename app/Policies/{ => Admin}/DefaultPolicies.php (97%)
 rename app/Policies/{ => Admin}/EggPolicy.php (76%)
 rename app/Policies/{ => Admin}/MountPolicy.php (94%)
 rename app/Policies/{ => Admin}/NodePolicy.php (93%)
 rename app/Policies/{ => Admin}/RolePolicy.php (76%)
 create mode 100644 app/Policies/Admin/ServerPolicy.php
 rename app/Policies/{ => Admin}/UserPolicy.php (94%)
 rename app/Policies/{ => Admin}/WebhookConfigurationPolicy.php (79%)
 delete mode 100644 app/Policies/DatabasePolicy.php
 create mode 100644 app/Policies/Server/ActivityLogPolicy.php
 create mode 100644 app/Policies/Server/AllocationPolicy.php
 create mode 100644 app/Policies/Server/BackupPolicy.php
 create mode 100644 app/Policies/Server/DatabasePolicy.php
 create mode 100644 app/Policies/Server/FilePolicy.php
 create mode 100644 app/Policies/Server/SchedulePolicy.php
 rename app/Policies/{ => Server}/ServerPolicy.php (89%)
 create mode 100644 app/Policies/Server/UserPolicy.php

diff --git a/app/Filament/Admin/Resources/DatabaseHosts/DatabaseHostResource.php b/app/Filament/Admin/Resources/DatabaseHosts/DatabaseHostResource.php
index 0e22e9c79..d3d820886 100644
--- a/app/Filament/Admin/Resources/DatabaseHosts/DatabaseHostResource.php
+++ b/app/Filament/Admin/Resources/DatabaseHosts/DatabaseHostResource.php
@@ -91,7 +91,7 @@ class DatabaseHostResource extends Resource
             ->checkIfRecordIsSelectableUsing(fn (DatabaseHost $databaseHost) => !$databaseHost->databases_count)
             ->recordActions([
                 ViewAction::make()
-                    ->hidden(fn ($record) => static::canEdit($record)),
+                    ->hidden(fn ($record) => static::getEditAuthorizationResponse($record)->allowed()),
                 EditAction::make(),
             ])
             ->groupedBulkActions([
diff --git a/app/Filament/Admin/Resources/Mounts/MountResource.php b/app/Filament/Admin/Resources/Mounts/MountResource.php
index 7e26fe5a1..a9dd81ce0 100644
--- a/app/Filament/Admin/Resources/Mounts/MountResource.php
+++ b/app/Filament/Admin/Resources/Mounts/MountResource.php
@@ -95,7 +95,7 @@ class MountResource extends Resource
             ])
             ->recordActions([
                 ViewAction::make()
-                    ->hidden(fn ($record) => static::canEdit($record)),
+                    ->hidden(fn ($record) => static::getEditAuthorizationResponse($record)->allowed()),
                 EditAction::make(),
             ])
             ->groupedBulkActions([
diff --git a/app/Filament/Admin/Resources/Roles/RoleResource.php b/app/Filament/Admin/Resources/Roles/RoleResource.php
index 6a53efb4f..a3baf05e4 100644
--- a/app/Filament/Admin/Resources/Roles/RoleResource.php
+++ b/app/Filament/Admin/Resources/Roles/RoleResource.php
@@ -97,7 +97,7 @@ class RoleResource extends Resource
             ])
             ->recordActions([
                 ViewAction::make()
-                    ->hidden(fn ($record) => static::canEdit($record)),
+                    ->hidden(fn ($record) => static::getEditAuthorizationResponse($record)->allowed()),
                 EditAction::make(),
             ])
             ->checkIfRecordIsSelectableUsing(fn (Role $role) => !$role->isRootAdmin() && $role->users_count <= 0)
diff --git a/app/Filament/Admin/Resources/Users/UserResource.php b/app/Filament/Admin/Resources/Users/UserResource.php
index 866ee3dda..1aad76c1b 100644
--- a/app/Filament/Admin/Resources/Users/UserResource.php
+++ b/app/Filament/Admin/Resources/Users/UserResource.php
@@ -130,7 +130,7 @@ class UserResource extends Resource
             ])
             ->recordActions([
                 ViewAction::make()
-                    ->hidden(fn ($record) => static::canEdit($record)),
+                    ->hidden(fn ($record) => static::getEditAuthorizationResponse($record)->allowed()),
                 EditAction::make(),
             ])
             ->checkIfRecordIsSelectableUsing(fn (User $user) => user()?->id !== $user->id && !$user->servers_count)
diff --git a/app/Filament/Admin/Resources/Webhooks/WebhookResource.php b/app/Filament/Admin/Resources/Webhooks/WebhookResource.php
index 8f5d5241c..a02cec609 100644
--- a/app/Filament/Admin/Resources/Webhooks/WebhookResource.php
+++ b/app/Filament/Admin/Resources/Webhooks/WebhookResource.php
@@ -97,7 +97,7 @@ class WebhookResource extends Resource
             ])
             ->recordActions([
                 ViewAction::make()
-                    ->hidden(fn (WebhookConfiguration $record) => static::canEdit($record)),
+                    ->hidden(fn (WebhookConfiguration $record) => static::getEditAuthorizationResponse($record)->allowed()),
                 EditAction::make(),
                 ReplicateAction::make()
                     ->iconButton()
diff --git a/app/Filament/Server/Resources/Activities/ActivityResource.php b/app/Filament/Server/Resources/Activities/ActivityResource.php
index 30dd56bfd..3c5b0eaf7 100644
--- a/app/Filament/Server/Resources/Activities/ActivityResource.php
+++ b/app/Filament/Server/Resources/Activities/ActivityResource.php
@@ -6,7 +6,6 @@ use App\Filament\Admin\Resources\Users\Pages\EditUser;
 use App\Filament\Components\Tables\Columns\DateTimeColumn;
 use App\Filament\Server\Resources\Activities\Pages\ListActivities;
 use App\Models\ActivityLog;
-use App\Models\Permission;
 use App\Models\Role;
 use App\Models\Server;
 use App\Models\User;
@@ -164,11 +163,6 @@ class ActivityResource extends Resource
             });
     }
 
-    public static function canViewAny(): bool
-    {
-        return user()?->can(Permission::ACTION_ACTIVITY_READ, Filament::getTenant());
-    }
-
     /** @return array<string, PageRegistration> */
     public static function getDefaultPages(): array
     {
diff --git a/app/Filament/Server/Resources/Allocations/AllocationResource.php b/app/Filament/Server/Resources/Allocations/AllocationResource.php
index 379223569..79ead717f 100644
--- a/app/Filament/Server/Resources/Allocations/AllocationResource.php
+++ b/app/Filament/Server/Resources/Allocations/AllocationResource.php
@@ -23,7 +23,6 @@ use Filament\Tables\Columns\IconColumn;
 use Filament\Tables\Columns\TextColumn;
 use Filament\Tables\Columns\TextInputColumn;
 use Filament\Tables\Table;
-use Illuminate\Database\Eloquent\Model;
 
 class AllocationResource extends Resource
 {
@@ -122,26 +121,6 @@ class AllocationResource extends Resource
             ]);
     }
 
-    public static function canViewAny(): bool
-    {
-        return user()?->can(Permission::ACTION_ALLOCATION_READ, Filament::getTenant());
-    }
-
-    public static function canCreate(): bool
-    {
-        return user()?->can(Permission::ACTION_ALLOCATION_CREATE, Filament::getTenant());
-    }
-
-    public static function canEdit(Model $record): bool
-    {
-        return user()?->can(Permission::ACTION_ALLOCATION_UPDATE, Filament::getTenant());
-    }
-
-    public static function canDelete(Model $record): bool
-    {
-        return user()?->can(Permission::ACTION_ALLOCATION_DELETE, Filament::getTenant());
-    }
-
     /** @return array<string, PageRegistration> */
     public static function getDefaultPages(): array
     {
diff --git a/app/Filament/Server/Resources/Backups/BackupResource.php b/app/Filament/Server/Resources/Backups/BackupResource.php
index 4c00db678..66a2aad30 100644
--- a/app/Filament/Server/Resources/Backups/BackupResource.php
+++ b/app/Filament/Server/Resources/Backups/BackupResource.php
@@ -40,7 +40,6 @@ use Filament\Support\Enums\IconSize;
 use Filament\Tables\Columns\IconColumn;
 use Filament\Tables\Columns\TextColumn;
 use Filament\Tables\Table;
-use Illuminate\Database\Eloquent\Model;
 use Illuminate\Http\Client\ConnectionException;
 use Illuminate\Http\Request;
 use Symfony\Component\HttpKernel\Exception\HttpException;
@@ -298,21 +297,6 @@ class BackupResource extends Resource
             ]);
     }
 
-    public static function canViewAny(): bool
-    {
-        return user()?->can(Permission::ACTION_BACKUP_READ, Filament::getTenant());
-    }
-
-    public static function canCreate(): bool
-    {
-        return user()?->can(Permission::ACTION_BACKUP_CREATE, Filament::getTenant());
-    }
-
-    public static function canDelete(Model $record): bool
-    {
-        return user()?->can(Permission::ACTION_BACKUP_DELETE, Filament::getTenant());
-    }
-
     /** @return array<string, PageRegistration> */
     public static function getDefaultPages(): array
     {
diff --git a/app/Filament/Server/Resources/Databases/DatabaseResource.php b/app/Filament/Server/Resources/Databases/DatabaseResource.php
index e5bbe5da3..bbd555960 100644
--- a/app/Filament/Server/Resources/Databases/DatabaseResource.php
+++ b/app/Filament/Server/Resources/Databases/DatabaseResource.php
@@ -31,7 +31,6 @@ use Filament\Schemas\Schema;
 use Filament\Support\Enums\IconSize;
 use Filament\Tables\Columns\TextColumn;
 use Filament\Tables\Table;
-use Illuminate\Database\Eloquent\Model;
 use Illuminate\Support\Str;
 
 class DatabaseResource extends Resource
@@ -210,31 +209,6 @@ class DatabaseResource extends Resource
             ]);
     }
 
-    public static function canViewAny(): bool
-    {
-        return user()?->can(Permission::ACTION_DATABASE_READ, Filament::getTenant());
-    }
-
-    public static function canView(Model $record): bool
-    {
-        return user()?->can(Permission::ACTION_DATABASE_READ, Filament::getTenant());
-    }
-
-    public static function canCreate(): bool
-    {
-        return user()?->can(Permission::ACTION_DATABASE_CREATE, Filament::getTenant());
-    }
-
-    public static function canEdit(Model $record): bool
-    {
-        return user()?->can(Permission::ACTION_DATABASE_UPDATE, Filament::getTenant());
-    }
-
-    public static function canDelete(Model $record): bool
-    {
-        return user()?->can(Permission::ACTION_DATABASE_DELETE, Filament::getTenant());
-    }
-
     /** @return array<string, PageRegistration> */
     public static function getDefaultPages(): array
     {
diff --git a/app/Filament/Server/Resources/Files/FileResource.php b/app/Filament/Server/Resources/Files/FileResource.php
index 281758113..2870ba565 100644
--- a/app/Filament/Server/Resources/Files/FileResource.php
+++ b/app/Filament/Server/Resources/Files/FileResource.php
@@ -7,14 +7,11 @@ use App\Filament\Server\Resources\Files\Pages\EditFiles;
 use App\Filament\Server\Resources\Files\Pages\ListFiles;
 use App\Filament\Server\Resources\Files\Pages\SearchFiles;
 use App\Models\File;
-use App\Models\Permission;
 use App\Traits\Filament\BlockAccessInConflict;
 use App\Traits\Filament\CanCustomizePages;
 use App\Traits\Filament\CanCustomizeRelations;
-use Filament\Facades\Filament;
 use Filament\Resources\Pages\PageRegistration;
 use Filament\Resources\Resource;
-use Illuminate\Database\Eloquent\Model;
 
 class FileResource extends Resource
 {
@@ -30,26 +27,6 @@ class FileResource extends Resource
 
     protected static bool $isScopedToTenant = false;
 
-    public static function canViewAny(): bool
-    {
-        return user()?->can(Permission::ACTION_FILE_READ, Filament::getTenant());
-    }
-
-    public static function canCreate(): bool
-    {
-        return user()?->can(Permission::ACTION_FILE_CREATE, Filament::getTenant());
-    }
-
-    public static function canEdit(Model $record): bool
-    {
-        return user()?->can(Permission::ACTION_FILE_UPDATE, Filament::getTenant());
-    }
-
-    public static function canDelete(Model $record): bool
-    {
-        return user()?->can(Permission::ACTION_FILE_DELETE, Filament::getTenant());
-    }
-
     /** @return array<string, PageRegistration> */
     public static function getDefaultPages(): array
     {
diff --git a/app/Filament/Server/Resources/Schedules/ScheduleResource.php b/app/Filament/Server/Resources/Schedules/ScheduleResource.php
index 4ccca31df..bc708c0dd 100644
--- a/app/Filament/Server/Resources/Schedules/ScheduleResource.php
+++ b/app/Filament/Server/Resources/Schedules/ScheduleResource.php
@@ -13,7 +13,6 @@ use App\Filament\Server\Resources\Schedules\Pages\ListSchedules;
 use App\Filament\Server\Resources\Schedules\Pages\ViewSchedule;
 use App\Filament\Server\Resources\Schedules\RelationManagers\TasksRelationManager;
 use App\Helpers\Utilities;
-use App\Models\Permission;
 use App\Models\Schedule;
 use App\Traits\Filament\BlockAccessInConflict;
 use App\Traits\Filament\CanCustomizePages;
@@ -26,7 +25,6 @@ use Filament\Actions\CreateAction;
 use Filament\Actions\DeleteAction;
 use Filament\Actions\EditAction;
 use Filament\Actions\ViewAction;
-use Filament\Facades\Filament;
 use Filament\Forms\Components\Select;
 use Filament\Forms\Components\TextInput;
 use Filament\Forms\Components\Toggle;
@@ -46,7 +44,6 @@ use Filament\Support\Exceptions\Halt;
 use Filament\Tables\Columns\IconColumn;
 use Filament\Tables\Columns\TextColumn;
 use Filament\Tables\Table;
-use Illuminate\Database\Eloquent\Model;
 use Illuminate\Support\HtmlString;
 use Throwable;
 
@@ -64,26 +61,6 @@ class ScheduleResource extends Resource
 
     protected static string|\BackedEnum|null $navigationIcon = 'tabler-clock';
 
-    public static function canViewAny(): bool
-    {
-        return user()?->can(Permission::ACTION_SCHEDULE_READ, Filament::getTenant());
-    }
-
-    public static function canCreate(): bool
-    {
-        return user()?->can(Permission::ACTION_SCHEDULE_CREATE, Filament::getTenant());
-    }
-
-    public static function canEdit(Model $record): bool
-    {
-        return user()?->can(Permission::ACTION_SCHEDULE_UPDATE, Filament::getTenant());
-    }
-
-    public static function canDelete(Model $record): bool
-    {
-        return user()?->can(Permission::ACTION_SCHEDULE_DELETE, Filament::getTenant());
-    }
-
     /**
      * @throws Exception
      */
@@ -357,7 +334,8 @@ class ScheduleResource extends Resource
                     ->state(fn (Schedule $schedule) => $schedule->status === ScheduleStatus::Active ? $schedule->next_run_at : null),
             ])
             ->recordActions([
-                ViewAction::make(),
+                ViewAction::make()
+                    ->hidden(fn ($record) => static::getEditAuthorizationResponse($record)->allowed()),
                 EditAction::make(),
                 DeleteAction::make()
                     ->after(function (Schedule $schedule) {
diff --git a/app/Filament/Server/Resources/Users/UserResource.php b/app/Filament/Server/Resources/Users/UserResource.php
index 9baf9300e..21218ce38 100644
--- a/app/Filament/Server/Resources/Users/UserResource.php
+++ b/app/Filament/Server/Resources/Users/UserResource.php
@@ -37,7 +37,6 @@ use Filament\Support\Enums\IconSize;
 use Filament\Tables\Columns\ImageColumn;
 use Filament\Tables\Columns\TextColumn;
 use Filament\Tables\Table;
-use Illuminate\Database\Eloquent\Model;
 
 class UserResource extends Resource
 {
@@ -63,26 +62,6 @@ class UserResource extends Resource
         return $server->subusers->count();
     }
 
-    public static function canViewAny(): bool
-    {
-        return user()?->can(Permission::ACTION_USER_READ, Filament::getTenant());
-    }
-
-    public static function canCreate(): bool
-    {
-        return user()?->can(Permission::ACTION_USER_CREATE, Filament::getTenant());
-    }
-
-    public static function canEdit(Model $record): bool
-    {
-        return user()?->can(Permission::ACTION_USER_UPDATE, Filament::getTenant());
-    }
-
-    public static function canDelete(Model $record): bool
-    {
-        return user()?->can(Permission::ACTION_USER_DELETE, Filament::getTenant());
-    }
-
     public static function defaultTable(Table $table): Table
     {
         /** @var Server $server */
diff --git a/app/Policies/ApiKeyPolicy.php b/app/Policies/Admin/ApiKeyPolicy.php
similarity index 77%
rename from app/Policies/ApiKeyPolicy.php
rename to app/Policies/Admin/ApiKeyPolicy.php
index ce04ec19f..435ae345c 100644
--- a/app/Policies/ApiKeyPolicy.php
+++ b/app/Policies/Admin/ApiKeyPolicy.php
@@ -1,6 +1,6 @@
 <?php
 
-namespace App\Policies;
+namespace App\Policies\Admin;
 
 class ApiKeyPolicy
 {
diff --git a/app/Policies/DatabaseHostPolicy.php b/app/Policies/Admin/DatabaseHostPolicy.php
similarity index 95%
rename from app/Policies/DatabaseHostPolicy.php
rename to app/Policies/Admin/DatabaseHostPolicy.php
index e7f9d4661..809695a8b 100644
--- a/app/Policies/DatabaseHostPolicy.php
+++ b/app/Policies/Admin/DatabaseHostPolicy.php
@@ -1,6 +1,6 @@
 <?php
 
-namespace App\Policies;
+namespace App\Policies\Admin;
 
 use App\Models\DatabaseHost;
 use App\Models\User;
diff --git a/app/Policies/DefaultPolicies.php b/app/Policies/Admin/DefaultPolicies.php
similarity index 97%
rename from app/Policies/DefaultPolicies.php
rename to app/Policies/Admin/DefaultPolicies.php
index 2eb29fa59..59584f776 100644
--- a/app/Policies/DefaultPolicies.php
+++ b/app/Policies/Admin/DefaultPolicies.php
@@ -1,6 +1,6 @@
 <?php
 
-namespace App\Policies;
+namespace App\Policies\Admin;
 
 use App\Models\User;
 use Illuminate\Database\Eloquent\Model;
diff --git a/app/Policies/EggPolicy.php b/app/Policies/Admin/EggPolicy.php
similarity index 76%
rename from app/Policies/EggPolicy.php
rename to app/Policies/Admin/EggPolicy.php
index bd589f1b2..9343f7a94 100644
--- a/app/Policies/EggPolicy.php
+++ b/app/Policies/Admin/EggPolicy.php
@@ -1,6 +1,6 @@
 <?php
 
-namespace App\Policies;
+namespace App\Policies\Admin;
 
 class EggPolicy
 {
diff --git a/app/Policies/MountPolicy.php b/app/Policies/Admin/MountPolicy.php
similarity index 94%
rename from app/Policies/MountPolicy.php
rename to app/Policies/Admin/MountPolicy.php
index 9495dd08d..3bc27db83 100644
--- a/app/Policies/MountPolicy.php
+++ b/app/Policies/Admin/MountPolicy.php
@@ -1,6 +1,6 @@
 <?php
 
-namespace App\Policies;
+namespace App\Policies\Admin;
 
 use App\Models\Mount;
 use App\Models\User;
diff --git a/app/Policies/NodePolicy.php b/app/Policies/Admin/NodePolicy.php
similarity index 93%
rename from app/Policies/NodePolicy.php
rename to app/Policies/Admin/NodePolicy.php
index 6a459155c..3a33fe19c 100644
--- a/app/Policies/NodePolicy.php
+++ b/app/Policies/Admin/NodePolicy.php
@@ -1,6 +1,6 @@
 <?php
 
-namespace App\Policies;
+namespace App\Policies\Admin;
 
 use App\Models\Node;
 use App\Models\User;
diff --git a/app/Policies/RolePolicy.php b/app/Policies/Admin/RolePolicy.php
similarity index 76%
rename from app/Policies/RolePolicy.php
rename to app/Policies/Admin/RolePolicy.php
index edcc834e3..3ff909e89 100644
--- a/app/Policies/RolePolicy.php
+++ b/app/Policies/Admin/RolePolicy.php
@@ -1,6 +1,6 @@
 <?php
 
-namespace App\Policies;
+namespace App\Policies\Admin;
 
 class RolePolicy
 {
diff --git a/app/Policies/Admin/ServerPolicy.php b/app/Policies/Admin/ServerPolicy.php
new file mode 100644
index 000000000..43390fdf4
--- /dev/null
+++ b/app/Policies/Admin/ServerPolicy.php
@@ -0,0 +1,10 @@
+<?php
+
+namespace App\Policies\Admin;
+
+class ServerPolicy
+{
+    use DefaultPolicies;
+
+    protected string $modelName = 'server';
+}
diff --git a/app/Policies/UserPolicy.php b/app/Policies/Admin/UserPolicy.php
similarity index 94%
rename from app/Policies/UserPolicy.php
rename to app/Policies/Admin/UserPolicy.php
index 6f975b474..43abdfa7b 100644
--- a/app/Policies/UserPolicy.php
+++ b/app/Policies/Admin/UserPolicy.php
@@ -1,6 +1,6 @@
 <?php
 
-namespace App\Policies;
+namespace App\Policies\Admin;
 
 use App\Models\User;
 use Illuminate\Database\Eloquent\Model;
diff --git a/app/Policies/WebhookConfigurationPolicy.php b/app/Policies/Admin/WebhookConfigurationPolicy.php
similarity index 79%
rename from app/Policies/WebhookConfigurationPolicy.php
rename to app/Policies/Admin/WebhookConfigurationPolicy.php
index d95694301..5f65d2d7d 100644
--- a/app/Policies/WebhookConfigurationPolicy.php
+++ b/app/Policies/Admin/WebhookConfigurationPolicy.php
@@ -1,6 +1,6 @@
 <?php
 
-namespace App\Policies;
+namespace App\Policies\Admin;
 
 class WebhookConfigurationPolicy
 {
diff --git a/app/Policies/DatabasePolicy.php b/app/Policies/DatabasePolicy.php
deleted file mode 100644
index ce54b9e64..000000000
--- a/app/Policies/DatabasePolicy.php
+++ /dev/null
@@ -1,10 +0,0 @@
-<?php
-
-namespace App\Policies;
-
-class DatabasePolicy
-{
-    use DefaultPolicies;
-
-    protected string $modelName = 'database';
-}
diff --git a/app/Policies/Server/ActivityLogPolicy.php b/app/Policies/Server/ActivityLogPolicy.php
new file mode 100644
index 000000000..d479b43ff
--- /dev/null
+++ b/app/Policies/Server/ActivityLogPolicy.php
@@ -0,0 +1,21 @@
+<?php
+
+namespace App\Policies\Server;
+
+use App\Models\Permission;
+use App\Models\User;
+use Filament\Facades\Filament;
+use Illuminate\Database\Eloquent\Model;
+
+class ActivityLogPolicy
+{
+    public function viewAny(User $user): bool
+    {
+        return $user->can(Permission::ACTION_ACTIVITY_READ, Filament::getTenant());
+    }
+
+    public function view(User $user, Model $model): bool
+    {
+        return $user->can(Permission::ACTION_ACTIVITY_READ, Filament::getTenant());
+    }
+}
diff --git a/app/Policies/Server/AllocationPolicy.php b/app/Policies/Server/AllocationPolicy.php
new file mode 100644
index 000000000..83dd52644
--- /dev/null
+++ b/app/Policies/Server/AllocationPolicy.php
@@ -0,0 +1,36 @@
+<?php
+
+namespace App\Policies\Server;
+
+use App\Models\Permission;
+use App\Models\User;
+use Filament\Facades\Filament;
+use Illuminate\Database\Eloquent\Model;
+
+class AllocationPolicy
+{
+    public function viewAny(User $user): bool
+    {
+        return $user->can(Permission::ACTION_ALLOCATION_READ, Filament::getTenant());
+    }
+
+    public function view(User $user, Model $record): bool
+    {
+        return $user->can(Permission::ACTION_ALLOCATION_READ, Filament::getTenant());
+    }
+
+    public function create(User $user): bool
+    {
+        return $user->can(Permission::ACTION_ALLOCATION_CREATE, Filament::getTenant());
+    }
+
+    public function edit(User $user, Model $record): bool
+    {
+        return $user->can(Permission::ACTION_ALLOCATION_UPDATE, Filament::getTenant());
+    }
+
+    public function delete(User $user, Model $record): bool
+    {
+        return $user->can(Permission::ACTION_ALLOCATION_DELETE, Filament::getTenant());
+    }
+}
diff --git a/app/Policies/Server/BackupPolicy.php b/app/Policies/Server/BackupPolicy.php
new file mode 100644
index 000000000..6dc3d25ad
--- /dev/null
+++ b/app/Policies/Server/BackupPolicy.php
@@ -0,0 +1,31 @@
+<?php
+
+namespace App\Policies\Server;
+
+use App\Models\Permission;
+use App\Models\User;
+use Filament\Facades\Filament;
+use Illuminate\Database\Eloquent\Model;
+
+class BackupPolicy
+{
+    public function viewAny(User $user): bool
+    {
+        return $user->can(Permission::ACTION_BACKUP_READ, Filament::getTenant());
+    }
+
+    public function view(User $user, Model $record): bool
+    {
+        return $user->can(Permission::ACTION_BACKUP_READ, Filament::getTenant());
+    }
+
+    public function create(User $user): bool
+    {
+        return $user->can(Permission::ACTION_BACKUP_CREATE, Filament::getTenant());
+    }
+
+    public function delete(User $user, Model $record): bool
+    {
+        return $user->can(Permission::ACTION_BACKUP_DELETE, Filament::getTenant());
+    }
+}
diff --git a/app/Policies/Server/DatabasePolicy.php b/app/Policies/Server/DatabasePolicy.php
new file mode 100644
index 000000000..e3ad4548d
--- /dev/null
+++ b/app/Policies/Server/DatabasePolicy.php
@@ -0,0 +1,36 @@
+<?php
+
+namespace App\Policies\Server;
+
+use App\Models\Permission;
+use App\Models\User;
+use Filament\Facades\Filament;
+use Illuminate\Database\Eloquent\Model;
+
+class DatabasePolicy
+{
+    public function viewAny(User $user): bool
+    {
+        return $user->can(Permission::ACTION_DATABASE_READ, Filament::getTenant());
+    }
+
+    public function view(User $user, Model $record): bool
+    {
+        return $user->can(Permission::ACTION_DATABASE_READ, Filament::getTenant());
+    }
+
+    public function create(User $user): bool
+    {
+        return $user->can(Permission::ACTION_DATABASE_CREATE, Filament::getTenant());
+    }
+
+    public function edit(User $user, Model $record): bool
+    {
+        return $user->can(Permission::ACTION_DATABASE_UPDATE, Filament::getTenant());
+    }
+
+    public function delete(User $user, Model $record): bool
+    {
+        return $user->can(Permission::ACTION_DATABASE_DELETE, Filament::getTenant());
+    }
+}
diff --git a/app/Policies/Server/FilePolicy.php b/app/Policies/Server/FilePolicy.php
new file mode 100644
index 000000000..e8f90de35
--- /dev/null
+++ b/app/Policies/Server/FilePolicy.php
@@ -0,0 +1,36 @@
+<?php
+
+namespace App\Policies\Server;
+
+use App\Models\Permission;
+use App\Models\User;
+use Filament\Facades\Filament;
+use Illuminate\Database\Eloquent\Model;
+
+class FilePolicy
+{
+    public function viewAny(User $user): bool
+    {
+        return $user->can(Permission::ACTION_FILE_READ, Filament::getTenant());
+    }
+
+    public function view(User $user, Model $record): bool
+    {
+        return $user->can(Permission::ACTION_FILE_READ_CONTENT, Filament::getTenant());
+    }
+
+    public function create(User $user): bool
+    {
+        return $user->can(Permission::ACTION_FILE_CREATE, Filament::getTenant());
+    }
+
+    public function edit(User $user, Model $record): bool
+    {
+        return $user->can(Permission::ACTION_FILE_UPDATE, Filament::getTenant());
+    }
+
+    public function delete(User $user, Model $record): bool
+    {
+        return $user->can(Permission::ACTION_FILE_DELETE, Filament::getTenant());
+    }
+}
diff --git a/app/Policies/Server/SchedulePolicy.php b/app/Policies/Server/SchedulePolicy.php
new file mode 100644
index 000000000..4312c96ed
--- /dev/null
+++ b/app/Policies/Server/SchedulePolicy.php
@@ -0,0 +1,36 @@
+<?php
+
+namespace App\Policies\Server;
+
+use App\Models\Permission;
+use App\Models\User;
+use Filament\Facades\Filament;
+use Illuminate\Database\Eloquent\Model;
+
+class SchedulePolicy
+{
+    public function viewAny(User $user): bool
+    {
+        return $user->can(Permission::ACTION_SCHEDULE_READ, Filament::getTenant());
+    }
+
+    public function view(User $user, Model $record): bool
+    {
+        return $user->can(Permission::ACTION_SCHEDULE_READ, Filament::getTenant());
+    }
+
+    public function create(User $user): bool
+    {
+        return $user->can(Permission::ACTION_SCHEDULE_CREATE, Filament::getTenant());
+    }
+
+    public function edit(User $user, Model $record): bool
+    {
+        return $user->can(Permission::ACTION_SCHEDULE_UPDATE, Filament::getTenant());
+    }
+
+    public function delete(User $user, Model $record): bool
+    {
+        return $user->can(Permission::ACTION_SCHEDULE_DELETE, Filament::getTenant());
+    }
+}
diff --git a/app/Policies/ServerPolicy.php b/app/Policies/Server/ServerPolicy.php
similarity index 89%
rename from app/Policies/ServerPolicy.php
rename to app/Policies/Server/ServerPolicy.php
index d032405d7..9b02967e2 100644
--- a/app/Policies/ServerPolicy.php
+++ b/app/Policies/Server/ServerPolicy.php
@@ -1,6 +1,6 @@
 <?php
 
-namespace App\Policies;
+namespace App\Policies\Server;
 
 use App\Models\Permission;
 use App\Models\Server;
@@ -8,10 +8,6 @@ use App\Models\User;
 
 class ServerPolicy
 {
-    use DefaultPolicies;
-
-    protected string $modelName = 'server';
-
     /**
      * Runs before any of the functions are called. Used to determine if the (sub-)user has permissions.
      */
@@ -48,8 +44,10 @@ class ServerPolicy
      * This is a horrendous hack to avoid Laravel's "smart" behavior that does
      * not call the before() function if there isn't a function matching the
      * policy permission.
+     *
+     * @param  array<string, mixed>  $arguments
      */
-    public function __call(string $name, mixed $arguments): void
+    public function __call(string $name, array $arguments): void
     {
         // do nothing
     }
diff --git a/app/Policies/Server/UserPolicy.php b/app/Policies/Server/UserPolicy.php
new file mode 100644
index 000000000..2d42a544d
--- /dev/null
+++ b/app/Policies/Server/UserPolicy.php
@@ -0,0 +1,36 @@
+<?php
+
+namespace App\Policies\Server;
+
+use App\Models\Permission;
+use App\Models\User;
+use Filament\Facades\Filament;
+use Illuminate\Database\Eloquent\Model;
+
+class UserPolicy
+{
+    public function viewAny(User $user): bool
+    {
+        return $user->can(Permission::ACTION_USER_READ, Filament::getTenant());
+    }
+
+    public function view(User $user, Model $record): bool
+    {
+        return $user->can(Permission::ACTION_USER_READ, Filament::getTenant());
+    }
+
+    public function create(User $user): bool
+    {
+        return $user->can(Permission::ACTION_USER_CREATE, Filament::getTenant());
+    }
+
+    public function edit(User $user, Model $record): bool
+    {
+        return $user->can(Permission::ACTION_USER_UPDATE, Filament::getTenant());
+    }
+
+    public function delete(User $user, Model $record): bool
+    {
+        return $user->can(Permission::ACTION_USER_DELETE, Filament::getTenant());
+    }
+}
diff --git a/app/Providers/AppServiceProvider.php b/app/Providers/AppServiceProvider.php
index a686890f6..e398d1862 100644
--- a/app/Providers/AppServiceProvider.php
+++ b/app/Providers/AppServiceProvider.php
@@ -26,6 +26,7 @@ use App\Services\Helpers\SoftwareVersionService;
 use Dedoc\Scramble\Scramble;
 use Dedoc\Scramble\Support\Generator\OpenApi;
 use Dedoc\Scramble\Support\Generator\SecurityScheme;
+use Filament\Facades\Filament;
 use Illuminate\Config\Repository;
 use Illuminate\Database\Eloquent\Relations\Relation;
 use Illuminate\Foundation\Application;
@@ -106,8 +107,21 @@ class AppServiceProvider extends ServiceProvider
             ]);
         }
 
-        Gate::before(function (User $user, $ability) {
-            return $user->isRootAdmin() ? true : null;
+        Gate::before(fn (User $user, $ability) => $user->isRootAdmin() ? true : null);
+
+        Gate::guessPolicyNamesUsing(function (string $modelClass) {
+            $panelId = mb_ucfirst(Filament::getCurrentOrDefaultPanel()->getId());
+
+            if ($panelId === 'App') {
+                return;
+            }
+
+            $modelName = class_basename($modelClass);
+            $class = "App\\Policies\\{$panelId}\\{$modelName}Policy";
+
+            if (class_exists($class)) {
+                return $class;
+            }
         });
 
         AboutCommand::add('Pelican', [