mf

Gates and Policies in Laravel

Leave a Comment / By /

Today, we’re going to discuss the authorization system of the Laravel web framework. The Laravel framework implements authorization in the form of gates and policies. After an introduction to gates and policies, I’ll demonstrate the concepts by implementing a custom example.

I assume that you’re already aware of the built-in Laravel authentication system as that’s something essential in order to understand the concept of authorization. Obviously, the authorization system works in conjunction with the authentication system in order to identify the legitimate user session.

If you’re not aware of the Laravel authentication system, I would highly recommend going through the official documentation, which provides you with hands-on insight into the subject.

Laravel’s Approach to Authorization

By now, you should already know that the Laravel authorization system comes in two flavors—gates and policies. Although it may sound like a complicated affair, I would say it’s pretty easy to implement it once you get the hang of it!

Gates allow you to define an authorization rule using a simple closure-based approach. In other words, when you want to authorize an action that’s not related to any specific model, the gate is the perfect place to implement that logic.

Let’s have a quick look at what gate-based authorization looks like:

...
...
Gate::define('update-post', function ($user, $post) {
  return $user->id == $post->user_id;
});
...
...

The above snippet defines the authorization rule update-post that you could call from anywhere in your application.

On the other hand, you should use policies when you want to group the authorization logic of any model. For example, let’s say you have a Post model in your application, and you want to authorize the CRUD actions of that model. In that case, it’s the policy that you need to implement.

class PostPolicy
{
  public function view(User $user, Post $post) {}
  public function create(User $user) {}
  public function update(User $user, Post $post) {}
  public function delete(User $user, Post $post) {}
}

As you can see, it’s a pretty simple policy class that defines the authorization for the CRUD actions of the Post model.

So that was an introduction to gates and policies in Laravel. From the next section onwards, we’ll go through a practical demonstration of each element.

Gates

In this section, we’ll see a real-world example to understand the concept of gates.

More often than not, you end up looking at the Laravel service provider when you need to register a component or a service. Following that convention, let’s go ahead and define our custom gate in the app/Providers/AuthServiceProvider.php as shown in the following snippet.

 'AppPoliciesModelPolicy',
  ];

  /**
   * Register any authentication / authorization services.
   *
   * @return void
   */
  public function boot()
  {
    $this->registerPolicies();
    
    Gate::define('update-post', function ($user, $post) {
      return $user->id == $post->user_id;
    });
  }
}

In the boot method, we’ve defined our custom gate:

Gate::define('update-post', function ($user, $post) {
  return $user->id == $post->user_id;
});

While defining a gate, it takes a closure that returns either TRUE or FALSE based on the authorization logic that’s defined in the gate definition. Apart from the closure function, there are other ways you could define gates.

For example, the following gate definition calls the controller action instead of the closure function.

Gate::define('update-post', 'ControllerName@MethodName');

Now, let’s go ahead and add a custom route so that we can go through a demonstration of how gate-based authorization works. In the routes file routes/web.php, let’s add the following route.

Route::get('service/post/gate', 'PostController@gate');

Let’s create an associated controller file app/Http/Controllers/PostController.php as well.



In most cases, you'll end up using either the allows or denies method of the Gate facade to authorize a certain action. In our example above, we've used the allows method to check if the current user is able to perform the update-post action.


Users with sharp eyes would have noticed that we've only passed the second argument $post to the closure. The first argument, the current logged-in user, is automatically injected by the Gate facade.


So that's how you're supposed to use gates to authorize actions in your Laravel application. The next section is all about how to use policies, should you wish to implement authorization for your models.


Policies


As we discussed earlier, when you want to logically group your authorization actions for any particular model or resource, it's the policy you're looking for.


In this section, we'll create a policy for the Post model that will be used to authorize all the CRUD actions. I assume that you've already implemented the Post model in your application; otherwise, something similar will do.


The Laravel artisan command is your best friend when it comes to creating stubbed code. You can use the following artisan command to create a policy for the Post model.


$php artisan make:policy PostPolicy --model=Post


As you can see, we've supplied the --model=Post argument so that it creates all the CRUD methods. In the absence of that, it'll create a blank Policy class. You can locate the newly created Policy class at app/Policies/PostPolicy.php.


Let's replace it with the following code.


id > 0;
  }

  /**
   * Determine whether the user can update the post.
   *
   * @param  AppUser  $user
   * @param  AppPost  $post
   * @return mixed
   */
  public function update(User $user, Post $post)
  {
    return $user->id == $post->user_id;
  }

  /**
   * Determine whether the user can delete the post.
   *
   * @param  AppUser  $user
   * @param  AppPost  $post
   * @return mixed
   */
  public function delete(User $user, Post $post)
  {
    return $user->id == $post->user_id;
  }
}


To be able to use our Policy class, we need to register it using the Laravel service provider as shown in the following snippet.


 'AppPoliciesModelPolicy',
    Post::class => PostPolicy::class
  ];

  /**
   * Register any authentication / authorization services.
   *
   * @return void
   */
  public function boot()
  {
    $this->registerPolicies();
  }
}


We've added the mapping of our Policy in the $policies property. It tells Laravel to call the corresponding policy method to authorize the CRUD action.


You also need to register the policies using the registerPolicies method, as we've done in the boot method.


Moving further, let's create a couple of custom routes in the routes/web.php file so that we can test our Policy methods there.


Route::get('service/post/view', 'PostController@view');
Route::get('service/post/create', 'PostController@create');
Route::get('service/post/update', 'PostController@update');
Route::get('service/post/delete', 'PostController@delete');


Finally, let's create an associated controller at app/Http/Controllers/PostController.php.


can('view', $post)) {
      echo "Current logged in user is allowed to update the Post: {$post->id}";
    } else {
      echo 'Not Authorized.';
    }
  }

  public function create()
  {
    // get current logged in user
    $user = Auth::user();

    if ($user->can('create', Post::class)) {
      echo 'Current logged in user is allowed to create new posts.';
    } else {
      echo 'Not Authorized';
    }

    exit;
  }

  public function update()
  {
    // get current logged in user
    $user = Auth::user();

    // load post
    $post = Post::find(1);

    if ($user->can('update', $post)) {
      echo "Current logged in user is allowed to update the Post: {$post->id}";
    } else {
      echo 'Not Authorized.';
    }
  }

  public function delete()
  {
    // get current logged in user
    $user = Auth::user();
    
    // load post
    $post = Post::find(1);
    
    if ($user->can('delete', $post)) {
      echo "Current logged in user is allowed to delete the Post: {$post->id}";
    } else {
      echo 'Not Authorized.';
    }
  }
}


There are different ways you could authorize your actions using Policies. In our example above, we’ve used the User model to authorize our Post model actions.


The User model provides two useful methods for authorization purposes—can and cant. The can method is used to check if the current user is able to execute a certain action. And the counterpart of the can method, the cant method, is used to determine the inability of the action execution.


Let’s grab the snippet of the view method from the controller to see what exactly it does.


public function view()
{
  // get current logged in user
  $user = Auth::user();
  
  // load post
  $post = Post::find(1);
  
  if ($user->can('view', $post)) {
    echo "Current logged in user is allowed to update the Post: {$post->id}";
  } else {
    echo 'Not Authorized.';
  }
}


Firstly, we load the currently logged-in user, which gives us the object of the User model. Next, we load an example post using the Post model.


Moving ahead, we’ve used the can method of the User model to authorize the view action of the Post model. The first argument of the can method is the action name that you want to authorize, and the second argument is the model object that you want to get authorized against.


That was a demonstration of how to use the User model to authorize the actions using policies. Alternatively, you could use the Controller Helper as well, if you’re in the controller while authorizing a certain action.


…
$this->authorize('view', $post);
…


As you can see, you don’t need to load the User model if you use the Controller Helper.


So that was the concept of policies at your disposal, and it’s really handy while authorizing a model or a resource as it allows you to group the authorization logic in one place.


Just make sure that you don’t use gates and policies altogether for the same actions of the Model, otherwise it’ll create issues. That’s it from my side for today, and I’ll call it a day!


Conclusion


Today, it was Laravel authorization that took the center stage in my article. At the beginning of the article, I introduced the main elements of Laravel authorization, gates and policies.


Following that, we went through creating our custom gate and policy to see how it works in the real world. I hope you’ve enjoyed the article and learned something useful in the context of Laravel.


For those of you who are either just getting started with Laravel or looking to expand your knowledge, site, or application with extensions, we have a variety of things you can study on Envato Market.


As always, I would love to hear from you in the form of comments using the feed below!

Powered by WPeMatico

Leave a Comment

Kate has been so helpful, patient with our constant changes and so professional in all respects. Many thanks and very done!
Club de Golf Javea
Club de Golf JaveaWebsite Redesign
Kate is the person to go to in regards to these matters. Had a lot of problems with my website, errors, payment issues and more. Every problem was resolved quickly and professionally and cannot recommend Kate's company highly enough. Personal and responsive service. 5 Stars!
WowVac Pro
WowVac ProE-Commerce Configuration
Best Developer in Spain! Outstanding web services no matter where you are in the world. Great support and attention to detail. Kate is a real life developer. She can work across multiple platforms and understands the technology your company is using on a line to line basis.
Favicon
Pure Organic CBDWeb development and support
Professional and rapid support for the development and ongoing maintenance of our business website. Nothing too much trouble. Highly recommended.
Cafeciclistalogo
Cafe CiclistaWeb maintenance
Superb service very professional and quick very responsive I was kept informed and consulted throughout the entire process.
Partnerchipz Black
Paul JacksonWeb design & Development
Kate Langshaw of Medianic is awesomely recommended by us for all your website needs. Kate translated our story and brand into an elegant, transparent and to the point representation of CaffèMilano -The Italian Coffee House.
CaffèMilano
CaffèMilanoWeb design and Development
Absolute Class service from Start to finish, nothing is too much hassle for them and will recommend to everybody looking to update or have their website designed by the Amazing Kate Langshaw
Dragon Insure
Dragon InsureWeb design and Development
I have to say that my experience with Medianic has been different to any previous. I have been constantly kept up to date, communication has been fluid, and we had no down time at all.
Dr Banuls
Dr BanulsWeb Hosting
I’m very happy about Kate’s work! Recommend her services to everybody. Looking for a good website builder/designer? Look no further and contact Medianic.
Voice Productions
Voice ProductionsWeb development
On Behalf of all at the Marina Alta Classic Car Club I would like to thank Kate for the wonderful work she did in Kick starting our Club website this year. I can highly recommend her. Thanks Kate
Marina Alta Car Club
Marina Alta Car ClubWeb Design
Excellent knowledge and service, competitive pricing too. Definitely a solid go to company. Thanks for the great results we’ve had
Jim JimneyDesign and Branding
Totally reliable, totally capable and totally delivers. I’m loving working with Kate to help grow my business. I’m full of motivation because of you Kate
Javea Blinds
Javea BlindsWeb Design
I cannot praise Medianic enough. They have built the Javea Connect website quickly and efficiently, taught and old dog new tricks and have been there for me, sometimes within minutes, when I needed help. Excellent service and very very competitively priced. Highly recommended for both website and design work. Kate is to be congratulated on such a high standard of work and customer loyalty.
Javea Connect
Javea ConnectWeb Design & Development
Medianic has done a outstanding job in creating our company website in such a short time at unbeatable prices, rovtec marine services recommended Medianic for their superior skill in Web design, thank you outstanding job!
Rovtech
RovtechWeb Design
The only thing that beat the quality of the work Medianic did for us was how quick and responsive they were whenever we had feedback or needed something extra. Would highly recommend.
Poker Encore
Poker EncoreCustom Programming
Previous
Next

Thank you!

For your kind words...
Scroll to Top