Gates
use Illuminate\Support\Facades\Gate;
// Define a gate in AppServiceProvider
Gate::define("edit-post", function (User $user, Post $post) {
return $user->id === $post->user_id;
});
// Authorization
if (Gate::allows("edit-post", $post)) { ... }
if (Gate::denies("edit-post", $post)) { abort(403); }
// For non-authenticated users
Gate::define("view-dashboard", function (?User $user) {
return $user !== null;
});
Policies
// Generate: php artisan make:policy PostPolicy --model=Post
namespace App\Policies;
use App\Models\Post;
use App\Models\User;
class PostPolicy
{
public function viewAny(?User $user): bool { return true; }
public function view(?User $user, Post $post): bool {
return $post->is_published || $user?->id === $post->user_id;
}
public function create(User $user): bool { return $user->is_active; }
public function update(User $user, Post $post): bool {
return $user->id === $post->user_id;
}
public function delete(User $user, Post $post): bool {
return $user->id === $post->user_id || $user->is_admin;
}
}
Controller Authorization
// Via middleware
Route::put("/posts/{post}", [PostController::class, "update"])
->middleware("can:update,post");
// Via helper methods
public function update(Request $request, Post $post): RedirectResponse
{
$this->authorize("update", $post);
// ...
}
// In Blade
@can("update", $post)
<a href="/posts/{{ $post->id }}/edit">Edit</a>
@endcan