Gates and Policies in Laravel

Today, we’re going to discuss the authorization system of the Laravel web framework. The Laravel framework implements authorization in the form of gates and policies. After an introduction to gates and policies, I’ll demonstrate the concepts by implementing a custom example.

I assume that you’re already aware of the built-in Laravel authentication system as that’s something essential in order to understand the concept of authorization. Obviously, the authorization system works in conjunction with the authentication system in order to identify the legitimate user session.

If you’re not aware of the Laravel authentication system, I would highly recommend going through the official documentation, which provides you with hands-on insight into the subject.

Laravel’s Approach to Authorization

By now, you should already know that the Laravel authorization system comes in two flavors—gates and policies. Although it may sound like a complicated affair, I would say it’s pretty easy to implement it once you get the hang of it!

Gates allow you to define an authorization rule using a simple closure-based approach. In other words, when you want to authorize an action that’s not related to any specific model, the gate is the perfect place to implement that logic.

Let’s have a quick look at what gate-based authorization looks like:

The above snippet defines the authorization rule update-post that you could call from anywhere in your application.

On the other hand, you should use policies when you want to group the authorization logic of any model. For example, let’s say you have a Post model in your application, and you want to authorize the CRUD actions of that model. In that case, it’s the policy that you need to implement.

As you can see, it’s a pretty simple policy class that defines the authorization for the CRUD actions of the Post model.

So that was an introduction to gates and policies in Laravel. From the next section onwards, we’ll go through a practical demonstration of each element.


In this section, we’ll see a real-world example to understand the concept of gates.

More often than not, you end up looking at the Laravel service provider when you need to register a component or a service. Following that convention, let’s go ahead and define our custom gate in the app/Providers/AuthServiceProvider.php as shown in the following snippet.

In the boot method, we’ve defined our custom gate:

While defining a gate, it takes a closure that returns either TRUE or FALSE based on the authorization logic that’s defined in the gate definition. Apart from the closure function, there are other ways you could define gates.

For example, the following gate definition calls the controller action instead of the closure function.

Now, let’s go ahead and add a custom route so that we can go through a demonstration of how gate-based authorization works. In the routes file routes/web.php, let’s add the following route.

Let’s create an associated controller file app/Http/Controllers/PostController.php as well.

Powered by WPeMatico

Leave a Comment

Scroll to Top