Laravel Policies

What are Policies?

Policies in Laravel are classes that organize authorization logic around a particular model or resource.

They are similar to Gates, but while Gates are for simple checks, Policies are for model-based authorization (e.g., can a user update a specific post, delete a comment, or view a profile).


Why Use Policies?

  • Keep authorization logic clean and organized.
  • Tie authorization rules directly to models.
  • Easier to manage complex permissions.
  • Works with controllers, routes, and views using authorize() and @can.

Creating a Policy

You can create a policy with Artisan:

php artisan make:policy PostPolicy --model=Post
  • PostPolicy → The name of the Policy class.
  • --model=Post → Links the policy to the Post model.

This will generate a file at: app/Policies/PostPolicy.php


Example of a Policy (PostPolicy)

namespace App\Policies;

use App\Models\User;
use App\Models\Post;

class PostPolicy
{
  // Can the user view a post?
  public function view(User $user, Post $post)
  {
    return true; // Anyone can view
  }

  // Can the user create posts?
  public function create(User $user)
  {
    return $user->role === 'author';
  }

  // Can the user update a post?
  public function update(User $user, Post $post)
  {
    return $user->id === $post->user_id;
  }

  // Can the user delete a post?
  public function delete(User $user, Post $post)
  {
    return $user->id === $post->user_id;
  }
}



Registering Policies

  • In older versions, gates were defined in App\Providers\AuthServiceProvider.
  • In Laravel 12, you can still use AuthServiceProvider or define inside separate service providers.
  • Open app/Providers/AuthServiceProvider.php and add gates in the boot() method: if not manually create a file
php artisan make:provider AuthServiceProvider


AuthServiceProvider (app/Providers/AuthServiceProvider.php)

namespace App\Providers;

use App\Models\Post;
use App\Policies\PostPolicy;
use Illuminate\Foundation\Support\Providers\AuthServiceProvider as ServiceProvider;

class AuthServiceProvider extends ServiceProvider
{
  protected $policies = [
    Post::class => PostPolicy::class,
  ];

  public function boot(): void
  {
    // Automatically registers policies
  }
}

Using Policies

$this->authorize function check the condition. if its flase page redirect to 403


1. In Controllers

use Illuminate\Foundation\Auth\Access\AuthorizesRequests;

class AuthController extends Controller
{
    use AuthorizesRequests;
    public function update(Request  $request, Post $post)
    {
      $this->authorize('update', $post); // Uses PostPolicy
      $post->update($request->all());
      return redirect()->back()->with('success', 'Post updated');
    }
}


2. In Blade Views

@can('update', $post)
    <a href="{{ route('posts.edit', $post) }}">Edit Post</a>
@endcan

@cannot('delete', $post)
    <p>You cannot delete this post.</p>
@endcannot

Policy Methods (Common)

  • viewAny → Check if a user can view any records.
  • view → Check if a user can view a specific record.
  • create → Check if a user can create records.
  • update → Check if a user can update a specific record.
  • delete → Check if a user can delete a specific record.
  • restore → Check if a user can restore a deleted record.
  • forceDelete → Check if a user can permanently delete a record.

Whereisstuff is simple learing platform for beginer to advance level to improve there skills in technologies.we will provide all material free of cost.you can write a code in runkit workspace and we provide some extrac features also, you agree to have read and accepted our terms of use, cookie and privacy policy.
© Copyright 2024 www.whereisstuff.com. All rights reserved. Developed by whereisstuff Tech.