intermediate 14 min read

Gates & Policies

Authorization gates, policy classes, controller authorization, and Blade checks.

Gates

use Illuminate\Support\Facades\Gate;

// Define a gate in AppServiceProvider
Gate::define("edit-post", function (User $user, Post $post) {
return $user->id === $post->user_id;
});

// Authorization
if (Gate::allows("edit-post", $post)) { ... }
if (Gate::denies("edit-post", $post)) { abort(403); }

// For non-authenticated users
Gate::define("view-dashboard", function (?User $user) {
return $user !== null;
});

Policies

// Generate: php artisan make:policy PostPolicy --model=Post

namespace App\Policies;

use App\Models\Post;
use App\Models\User;

class PostPolicy
{
public function viewAny(?User $user): bool { return true; }
public function view(?User $user, Post $post): bool {
return $post->is_published || $user?->id === $post->user_id;
}
public function create(User $user): bool { return $user->is_active; }
public function update(User $user, Post $post): bool {
return $user->id === $post->user_id;
}
public function delete(User $user, Post $post): bool {
return $user->id === $post->user_id || $user->is_admin;
}
}

Controller Authorization

// Via middleware
Route::put("/posts/{post}", [PostController::class, "update"])
->middleware("can:update,post");

// Via helper methods
public function update(Request $request, Post $post): RedirectResponse
{
$this->authorize("update", $post);
// ...
}

// In Blade
@can("update", $post)
<a href="/posts/{{ $post->id }}/edit">Edit</a>
@endcan

Examples

<?php
// Register in AuthServiceProvider
Gate::define('view-reports', fn(User \\$user) => \\$user->is_admin);

// Check in controller
if (Gate::allows('view-reports')) {
    return view('reports.index');
}

abort(403);

Your Notes

Sign in to take notes for this lesson.

Discussion

Sign in to join the discussion.

Flashcards

Sign in to create flashcards.