#### How to properly manage web app behavior based on controlled list values from database?

I’m not sure if this is the right place to ask this question, so please advise if it should be moved.

I am developing a web application based on Laravel whose main purpose is to provide an interface for a specific MariaDB relational database, which I didn’t design or develop myself.

This database contains a number of so-called ‘controlled lists’ of vocabulary terms, in the form of tables with an auto-increment field and a string field holding the term.

One of these tables is used to control the possible statuses to set when creating or editing a record in the db. The terms to choose from (with a <select> in an HTML form) include draft, complete etc. and are retrieved from the table.

The problem is the following:

The app has a rudimentary system for user roles, since different type of users should have different privileges.

One such role is reader and it’s only allowed to search for and view existing records, without editing anything. However, this user role should not be able to view records with a draft status.

The way I’m currently managing this looks somewhat like this:

if (Auth::user()->is_reader && \$record->status === 1) {
abort(403,'Not enough privileges to view this record.');
}


It basically uses the ID for the draft value from the status list table to check the status of the record and act accordingly. I’m also using a similar system to exclude draft records from search results.

I don’t like this because it relies on a specific ID value from the database, and although there is no way from the web interface to change the values in this specific table (list of statuses), the actual value could still change (or not?).

I’ve thought of first doing a query on the table to get the ID where the term is LIKE %draft%, but – although being more appropriate perhaps – I think I would still be relying on something that for some reason could change in the future (the term draft). Also, I suspect it would impact a bit on performance, though probably not much.

What would be a better way to approach this? Maybe don’t use the database for this specific list of terms and put them in a config file?

Thanks for any help.

Source: Laravel