Categories:

Making Policy for Laravel Application Using Gates and Authorization

Authorization is a vital part of any application. Not every content or resources be accessed by every logged in users. We have to make sure the resources or the operations are to be executed by the authentic users, prevent them to access other user content being accessed.

To make sure we implement this on Laravel while creating web applications we have a very decent approach that is provided by Laravel. As depicted on the Laravel Doc,

In addition to providing authentication services out of the box, Laravel also provides a simple way to authorize user actions against a given resource. Like authentication, Laravel’s approach to authorization is simple, and there are two primary ways of authorizing actions: gates and policies.

We therefore here build a simple way to create a policy for your resource by just simple command and registering it with our provider. First we issue a command for creating a policy, Here is TaskPolicy is the name.

php artisan make:policy TaskPolicy

If we want a more specific policy to our model then it’s simple just, let’s say for Task Model.

php artisan make:policy TaskPolicy --model=Task

You will get a new file under appPoliciesTaskPolicy.php
Now we have to register to our app so that we let it know we have a policy. For that just goto appProvidersAuthServiceProvider.php and map your newly created policy to your model Task

// make sure this is at the top 
use App\Policies\TaskPolicy;
use AppTask;
protected $policies = [
Task::class => TaskPolicy::class,
];

Not let see our TaskPolicy file, you will see something like this

<?php 
namespace App\Policies\Policy;
use App\Task;
use App\User;
use IlluminateAuthAccessHandlesAuthorization; class TaskPolicy {
use HandlesAuthorization;

/** * Determine whether the user can view any tasks. * * AppUser $user * mixed */
public function viewAny(User $user) {
return false;
}/** * Determine whether the user can view the task. * * AppUser $user * AppTask $task * mixed */
public function view(User $user, Task $task) {
//
}
.......
}

For each resource action we can see the action and it will guard the request from the user to prevent unauthorized access. For example, to view the post only to the user who created and not others we modify the view method to this. We have two params User and Task. $user gives the currently logged in user object and $task object is the currently selected task via model (user dd for both to make sure what they are).

public function view(User $user, Task $task){ 
// check if current logged userid = task creator user
return $user->id == $task->user_id;
}

Now we have a policy we need to check this policy if the task model is viewed by the owner or not. This can be done via various ways as listed on the document but here let us do this by controller method. In your show method of TaskController.php (You controller file ), just use this

public function show(Task $task) { 
$this->authorize('view', $task);
// view is the method that is written on $task
return view('admin.task.show', [ 'task' => $task, ]);
}

That’s it, now the task can be viewed only by the created/owner. Now you can play it around with your own logic for each action. But remember to use make use of ‘authorize’. We can also do that from using Gates like this

return Gate::allows('view', $this->task);

or on your custom request

public function authorize(): bool { 
return Gate::allows('view', $this->task);
}

Finally authorization is implemented using policies and gates. Do try it on your applications.