Laravel Policies

What are Policies?

Policies in Laravel are classes that organize authorization logic around a particular model or resource.

They are similar to Gates, but while Gates are for simple checks, Policies are for model-based authorization (e.g., can a user update a specific post, delete a comment, or view a profile).

Why Use Policies?

• Keep authorization logic clean and organized.
• Tie authorization rules directly to models.
• Easier to manage complex permissions.
• Works with controllers, routes, and views using authorize() and @can.

Creating a Policy

You can create a policy with Artisan:

php artisan make:policy PostPolicy --model=Post

• PostPolicy → The name of the Policy class.
• --model=Post → Links the policy to the Post model.

This will generate a file at: app/Policies/PostPolicy.php

Example of a Policy (PostPolicy)

namespace App\Policies;

use App\Models\User;
use App\Models\Post;

class PostPolicy
{
  // Can the user view a post?
  public function view(User $user, Post $post)
  {
    return true; // Anyone can view
  }

  // Can the user create posts?
  public function create(User $user)
  {
    return $user->role === 'author';
  }

  // Can the user update a post?
  public function update(User $user, Post $post)
  {
    return $user->id === $post->user_id;
  }

  // Can the user delete a post?
  public function delete(User $user, Post $post)
  {
    return $user->id === $post->user_id;
  }
}

Registering Policies

• In older versions, gates were defined in App\Providers\AuthServiceProvider.
• In Laravel 12, you can still use AuthServiceProvider or define inside separate service providers.
• Open app/Providers/AuthServiceProvider.php and add gates in the boot() method: if not manually create a file

php artisan make:provider AuthServiceProvider

AuthServiceProvider (app/Providers/AuthServiceProvider.php)

namespace App\Providers;

use App\Models\Post;
use App\Policies\PostPolicy;
use Illuminate\Foundation\Support\Providers\AuthServiceProvider as ServiceProvider;

class AuthServiceProvider extends ServiceProvider
{
  protected $policies = [
    Post::class => PostPolicy::class,
  ];

  public function boot(): void
  {
    // Automatically registers policies
  }
}

Using Policies

$this->authorize function check the condition. if its flase page redirect to 403

1. In Controllers

use Illuminate\Foundation\Auth\Access\AuthorizesRequests;

class AuthController extends Controller
{
    use AuthorizesRequests;
    public function update(Request  $request, Post $post)
    {
      $this->authorize('update', $post); // Uses PostPolicy
      $post->update($request->all());
      return redirect()->back()->with('success', 'Post updated');
    }
}

2. In Blade Views

@can('update', $post)
    <a href="{{ route('posts.edit', $post) }}">Edit Post</a>
@endcan

@cannot('delete', $post)
    <p>You cannot delete this post.</p>
@endcannot

Policy Methods (Common)

• viewAny → Check if a user can view any records.
• view → Check if a user can view a specific record.
• create → Check if a user can create records.
• update → Check if a user can update a specific record.
• delete → Check if a user can delete a specific record.
• restore → Check if a user can restore a deleted record.
• forceDelete → Check if a user can permanently delete a record.