Laravel Authorization Policies – Part 2
In this article, we will discuss “Laravel Authorization Policies”. As I already, Describe the Laravel Gates in my previous article. You have to take a look at Laravel Authorization with Gates article for better understanding. Basically, Laravel Policies are the best way to protect Model actions.
Table of Contents
Why we need Laravel Policy?
Laravel Policy is a class, in this class, we can organize the authorization logic of your application. It is the simplest way to implement the authorization for each of model action. For example, we define an update and delete method for our post model.
Create Policy
We can create a policy using the following artisan command and generated policy class located at “app/Policies”.
php artisan make:policy PostPolicy
Above mention, artisan command creates a policy class. But policy class not having any defined function. If you want to create all required methods within the policy you can run below command.
php artisan make:policy PostPolicy --model=PostPolicy
After executing the command, our PostPolicy class looks like.
<?php namespace App\Policies; use App\User; use App\Post; use Illuminate\Auth\Access\HandlesAuthorization; class PostPolicy { use HandlesAuthorization; /** * Determine whether the user can view any posts. * * @param \App\User $user * @return mixed */ public function viewAny(User $user) { // } /** * Determine whether the user can view the post. * * @param \App\User $user * @param \App\post $post * @return mixed */ public function view(User $user, Post $post) { // } /** * Determine whether the user can create posts. * * @param \App\User $user * @return mixed */ public function create(User $user) { // } /** * Determine whether the user can update the post. * * @param \App\User $user * @param \App\post $post * @return mixed */ public function update(User $user, Post $post) { // } /** * Determine whether the user can delete the post. * * @param \App\User $user * @param \App\post $post * @return mixed */ public function delete(User $user, Post $post) { // } /** * Determine whether the user can restore the post. * * @param \App\User $user * @param \App\post $post * @return mixed */ public function restore(User $user, Post $post) { // } /** * Determine whether the user can permanently delete the post. * * @param \App\User $user * @param \App\post $post * @return mixed */ public function forceDelete(User $user, Post $post) { // } }
Update Policy Class
Here, we update the “Update” and “Delete” methods as per the following code snippet.
... /** * Determine whether the user can update the post. * * @param \App\User $user * @param \App\post $post * @return mixed */ public function update(User $user, Post $post) { return $user->id === $post->user_id; } /** * Determine whether the user can delete the post. * * @param \App\User $user * @param \App\post $post * @return mixed */ public function delete(User $user, Post $post) { return $user->id === $post->user_id; } ...
In the above mention code, we are comparing the post user id with the login user id. If user id matched then the user is authorized to update or delete the post.
Register Policy
Our “PostPolicy class” is ready now. It’s time to register our class, so open “AuthServicProvider” file located at “app/Providers”.
Add your PostPolicy to the $policies array like below.
... /** * The policy mappings for the application. * * @var array */ protected $policies = [ // 'App\Model' => 'App\Policies\ModelPolicy', 'App\Model\Post' => 'App\Policied\PostPolicy' ]; ...
Use Policies in View
After completing each step, you can use the “can” and “cannot” blade directive in the blade templates as given below.
@can('update', $post) // update or delete // show post update button @endcan @cannot('delete', $post) // update or delete // disable post delete button @endcannot
Use Policies in Model
You can also use the policies in the model. As per the given example, we are checking the user is authorized or not for the update.
if ($user->can('update', $post)) { // add your actions here }
Use Policies in Controller
In the controller, we can use the policy using the authorize method as given below. In the given example, we are checking used is authorized to delete the post or not. If authorized then the user can delete, otherwise, exception generates.
public function delete(Post $post) { $this->authorize('delete', $post); // The current user can delete the post }
Conclusion
In this article, I’m trying to explain to you the use of “Laravel Authorization Policies”. Laravel Policy provides the easiest and simple way to control the Authorization as per the Model actions. You can use Laravel Gates and Policies to create a fully functional permission management system. If you have any questions or suggestions, then please add them in the comment area.
You may like
Laravel Authorization with Gates – Part 1
Brief Understanding on Laravel Repository Pattern Design
Brief Understanding on Laravel Observers
Laravel Scout with TNTSearch Driver
If you like our content, please consider buying us a coffee.
Thank you for your support!
Buy Me a Coffee