viewAnyUser / updateUser Problem

[beshoo]

Laravel Version: 10.14.1
Nova Version: 4.26.3
PHP Version: 8.1
Database Driver & Version: MariaDB
Operating System and Version: Windows 10
Browser type and version: Firefox 115

Description:

Hi Dev,

I would like to describe a problem related to user access control authorization.
We have two user roles: admin and staff.

Admin can see all users, while staff can only see their own record in the 'http://127.0.0.1:8000/dashboard/resources/users' using the following code:

public static function indexQuery(NovaRequest $request, $query): \Illuminate\Database\Eloquent\Builder
 {
     $user = $request->user();
     if ($user) {
         if ($user->isSuperAdmin()) {
             // User is a super-admin, return the full query
             return $query;
         } else {
             // User is not a super-admin, return only their own record

             return $query->where('id', $user->id);
         }
     } else {
         return $query;
     }
 }

But we need to give the user "staff" : viewAnyUser in order to see the User resource 'http://127.0.0.1:8000/dashboard/resources/users' limit to his user_id!

The problem is that if a staff user opens his profile EDIT Mode "http://127.0.0.1:8000/dashboard/resources/users/2/edit" and edits the URL with another user's ID e.g "http://127.0.0.1:8000/dashboard/resources/users/1/edit",
Then he can see and update that user's information.

If we deny the viewAnyUser permission from the policy, the staff user cannot see the User resource at all 'http://127.0.0.1:8000/dashboard/resources/users' I got a 403 error.

How can we secure the panel?