protected function hasPermission($permission, Model $requester) { // always allow new user registrations if ($permission == 'create') { return true; } // users can only edit themselves if ($permission === 'edit' && $requester instanceof self && $requester->id() == $this->id()) { return true; } // otherwise, defer to admin permissions return $requester->isAdmin(); }