Laravel Permissions through Policies

Laravel Permissions through Policies

Implementing Permissions in Laravel through Policies

This article is about implementing laravel permissions through Policies but I you want to implement permissions by gates then must read the article how to implement permissions through gates and You can read the article Custom implementation of Laravel roles and permissions if you wish to implement your own custom roles and permissions.

If you are building small application or big enterprise application roles and permissions are vital part of the application. For example if you are building a blog and you have two roles like editor and admin, it is easy to implement it by considering just a variable and checking that variable on login to permit a user to certain action but the problems is as your application will go bigger roles will increase like publisher, user, reviewer etc As a result, it is a good practise to implement it through permissions, and Laravel has a great way of doing so in the form of Gates and Policies.

One significant distinction between Gates and Policies is that Gates are used for individual permissions and Policies are used for group rights. Whether you use Gates or Policies relies entirely on your circumstances.

For example if you have a model Article and you want to give separate permissions to read, update, delete and save the article to some user.

From the Laravel Docs, you can learn more about the policies. So, we’ll make a policy like follows:

php artisan make:policy ArticlePolicy

The make:policy command creates a policy class that is empty. If you want to produce a class that includes example policy methods for viewing, creating, updating, and deleting the resource, use the —model option when running the command:

php artisan make:policy ArticlePolicy --model=Article

The policy class must be registered after it has been constructed. We may tell Laravel the policy to employ when authorising operations against a certain model type by registering policies.

A policies property in the AppProvidersAuthServiceProvider supplied with new Laravel apps translates your Eloquent models to their respective policies. When allowing actions against a specific Eloquent model, registering a policy tells Laravel the policy to use:

<?php
namespace App\Providers;
use App\Models\Article;
use App\Policies\ArticlePolicy;
use Illuminate\Foundation\Support\Providers\AuthServiceProvider as ServiceProvider;
use Illuminate\Support\Facades\Gate;
class AuthServiceProvider extends ServiceProvider
{
    /**
     * The policy mappings for the application.
     *
     * @var array
     */
    protected $policies = [
        Post::class => ArticlePolicy::class,
    ];
    /**
     * Register any application authentication / authorization services.
     *
     * @return void
     */
    public function boot()
    {
        $this->registerPolicies();
        //
    }
}

A permission for a user to update an article is currently being implemented. In the Article model, you’ll have a user id foreign key, which we’ll utilise to register rules as,

<?php
namespace App\Policies;
use App\Models\Article;
use App\Models\User;
class PostPolicy
{
    /**
     * Determine if the given post can be updated by the user.
     *
     * @param  \App\Models\User  $user
     * @param  \App\Models\Post  $post
     * @return bool
     */
    public function update(User $user, Article $article)
    {
        return $user->id === $article->user_id;
    }
}

For the numerous actions it permits, you can continue to define new methods on the policy as needed. You could, for example, construct view or delete ways to authorise specific Article-related operations, but keep in mind that you can name your policy methods whatever you like.

There are a several methods to use policies, but we’ll start with the most simple. In your ArticleController’s edit and update function, write the following code as follows:

    
    public function update(Article $article)
    {
        $this->authorize('update', $article);
        // The current user can update the blog post...
    }
    
    public function update(Request $request, Article $article)
    {
        $this->authorize('update', $article);
        // The current user can update the blog post...
    }

You can read more about policies as there are so many more options worth reading.

Follow us TwitterFacebookLinkedIn

Open Source Listing

Previous Post
Next Post

Comments

Laravel Permissions through Gates - Open Source Listing

[…] If you want to implement roles and permissions through Policies then read this article. […]

Leave a Reply