Gates
are closures that determine if a user is allowed to perform a certain action on a resource. Gates
are typically defined in the boot method of AuthServiceProvider
and succinctly named to reflect what it's doing. An example of a gate that allows only premium users to view some content will look like this:
Gate::define('view-content', function ($user, $content){
return $user->isSubscribedTo($content->id);
});
A Gate
always receives a user instance as the first argument, you don't need to pass it when using the gate, and may optionally receive additional arguments such as the eloquent model in concern.
To use the example above on a blade template to hide content from the user, you would typically do something like this:
@can('view-content', $content)
<! -- content here -->
@endcan
To completely prevent navigation to the content, you can do the following in your controller:
if(Gate::allows('view-content', $content)){
/* user can view the content */
}
OR
if(Gate::denies('view-content', $content)){
/* user cannot view content */
}
Note: You are not required to pass the currently authenticated user to these method, Laravel takes care of that for you.
Policies are classes that help you organise authorisation logic around a model resource. Using our previous example, we might have a ContentPolicy
that manages user access to the Content
model.
To make ContentPolicy
, laravel provides an artisan command. Simply run
php artisan make:policy ContentPolicy
This will make an empty policy class and place in app/Policies
folder. If the folder does not exist, Laravel will create it and place the class inside.
Once created, policies need to be registered to help Laravel know which policies to use when authorising actions on models. Laravel's AuthServiceProvider
, which comes with all fresh Laravel installations, has a policies property which maps your eloquent models to their authorisation policies. All you need to do add the mapping to the array.
protected $policies = [
Content::class => ContentPolicy::class,
];
Writing Policies
follows much the same pattern as writing Gates
. The content permission gate can be rewritten as a Policy like this:
function view($user, $content)
{
return $user->isSubscribedTo($content->id);
}
Policies can contain more methods as needed to take care of all authorisation cases for a model.
Via The User model
The Laravel User model contains two methods that help with authorisations using Policies
; can
and can't
. These two can be used to determine if a user has authorisation or not on a model respectively.
To check if a user can view a content or not, you can do the following:
if($user->can('view', $content)){
/* user can view content */
}
OR
if($user->cant('view', $content)){
/* user cannot view content */
}
Via Middleware
Route::get('/contents/{id}, function(Content $content){
/* user can view content */
})->middleware('can:view,content');
Via Controllers
Laravel provides a helper method, called authorize
that takes the name of the policy and the associated model as arguments, and either authorizes the action based on your authorisation logic or denies the action and throws an AuthorizationException
which the Laravel Exception handler converts to a 403 HTTP response
.
pubic function show($id)
{
$content = Content::find($id);
$this->authorize('view', $content);
/* user can view content */
}