LaravelLaravel 5.7Laravel 5.8Laravel 6Laravel Code Snippet

Laravel Authorization Policies – Part 2

By Pankaj Sood On Nov 22, 2019

Get real time updates directly on you device, subscribe now.

In this article, we will discuss “Laravel Authorization Policies”. As I already, Describe the Laravel Gates in my previous article. You have to take a look at Laravel Authorization with Gates article for better understanding. Basically, Laravel Policies are the best way to protect Model actions.

Table of Contents

Why we need Laravel Policy?

Laravel Policy is a class, in this class, we can organize the authorization logic of your application. It is the simplest way to implement the authorization for each of model action. For example, we define an update and delete method for our post model.

Create Policy

We can create a policy using the following artisan command and generated policy class located at “app/Policies”.

php artisan make:policy PostPolicy

Above mention, artisan command creates a policy class. But policy class not having any defined function. If you want to create all required methods within the policy you can run below command.

php artisan make:policy PostPolicy --model=PostPolicy

After executing the command, our PostPolicy class looks like.

<?php

namespace App\Policies;

use App\User;
use App\Post;
use Illuminate\Auth\Access\HandlesAuthorization;

class PostPolicy
{
    use HandlesAuthorization;

    /**
     * Determine whether the user can view any posts.
     *
     * @param  \App\User  $user
     * @return mixed
     */
    public function viewAny(User $user)
    {
        //
    }

    /**
     * Determine whether the user can view the post.
     *
     * @param  \App\User  $user
     * @param  \App\post  $post
     * @return mixed
     */
    public function view(User $user, Post $post)
    {
        //
    }

    /**
     * Determine whether the user can create posts.
     *
     * @param  \App\User  $user
     * @return mixed
     */
    public function create(User $user)
    {
        //
    }

    /**
     * Determine whether the user can update the post.
     *
     * @param  \App\User  $user
     * @param  \App\post  $post
     * @return mixed
     */
    public function update(User $user, Post $post)
    {
        //
    }

    /**
     * Determine whether the user can delete the post.
     *
     * @param  \App\User  $user
     * @param  \App\post  $post
     * @return mixed
     */
    public function delete(User $user, Post $post)
    {
        //
    }

    /**
     * Determine whether the user can restore the post.
     *
     * @param  \App\User  $user
     * @param  \App\post  $post
     * @return mixed
     */
    public function restore(User $user, Post $post)
    {
        //
    }

    /**
     * Determine whether the user can permanently delete the post.
     *
     * @param  \App\User  $user
     * @param  \App\post  $post
     * @return mixed
     */
    public function forceDelete(User $user, Post $post)
    {
        //
    }
}

Update Policy Class

Here, we update the “Update” and “Delete” methods as per the following code snippet.

...
    /**
     * Determine whether the user can update the post.
     *
     * @param  \App\User  $user
     * @param  \App\post  $post
     * @return mixed
     */
    public function update(User $user, Post $post)
    {
        return $user->id === $post->user_id;
    }

    /**
     * Determine whether the user can delete the post.
     *
     * @param  \App\User  $user
     * @param  \App\post  $post
     * @return mixed
     */
    public function delete(User $user, Post $post)
    {
        return $user->id === $post->user_id;
    }
...

In the above mention code, we are comparing the post user id with the login user id. If user id matched then the user is authorized to update or delete the post.

Register Policy

Our “PostPolicy class” is ready now. It’s time to register our class, so open “AuthServicProvider” file located at “app/Providers”.

Add your PostPolicy to the $policies array like below.

...
    /**
     * The policy mappings for the application.
     *
     * @var array
     */
    protected $policies = [
        // 'App\Model' => 'App\Policies\ModelPolicy',
        'App\Model\Post' => 'App\Policied\PostPolicy'
    ];
...

Use Policies in View

After completing each step, you can use the “can” and “cannot” blade directive in the blade templates as given below.

@can('update', $post) // update or delete
  // show post update button
@endcan

@cannot('delete', $post) // update or delete
  // disable post delete button
@endcannot

Use Policies in Model

You can also use the policies in the model. As per the given example, we are checking the user is authorized or not for the update.

if ($user->can('update', $post)) {
  // add your actions here
}

Use Policies in Controller

In the controller, we can use the policy using the authorize method as given below. In the given example, we are checking used is authorized to delete the post or not. If authorized then the user can delete, otherwise, exception generates.

public function delete(Post $post)
{
  $this->authorize('delete', $post);
  // The current user can delete the post
}

Conclusion

In this article, I’m trying to explain to you the use of “Laravel Authorization Policies”. Laravel Policy provides the easiest and simple way to control the Authorization as per the Model actions. You can use Laravel Gates and Policies to create a fully functional permission management system. If you have any questions or suggestions, then please add them in the comment area.

Brief Understanding on Laravel Repository Pattern Design

Brief Understanding on Laravel Observers

Laravel Scout with TNTSearch Driver

If you like our content, please consider buying us a coffee.
Thank you for your support!
Buy Me a Coffee