Laravel
Beginner
1 min read
Authorization with Policies and Gates
Example
<?php
// app/Policies/PostPolicy.php
namespace App\Policies;
use App\Models\Post;
use App\Models\User;
use Illuminate\Auth\Access\Response;
class PostPolicy
{
// Super-admin bypass (runs before all checks)
public function before(User $user, string $ability): bool|null
{
return $user->isAdmin() ? true : null;
}
public function viewAny(User $user): bool
{
return true; // any authenticated user can list posts
}
public function view(?User $user, Post $post): bool
{
return $post->status === 'published' || $user?->id === $post->user_id;
}
public function create(User $user): bool
{
return $user->hasVerifiedEmail();
}
public function update(User $user, Post $post): Response
{
return $user->id === $post->user_id
? Response::allow()
: Response::deny('You do not own this post.');
}
public function delete(User $user, Post $post): bool
{
return $user->id === $post->user_id;
}
}
// In controller:
// $this->authorize('update', $post);
// In Blade:
// @can('update', $post) ... @endcanRelated Resources
Laravel Reference
Complete tag & property list
Laravel How-To Guides
Step-by-step practical guides
Laravel Exercises
Practice what you've learned
More in Laravel