Laravel - Authorization
Filter

Laravel - Authorization

by Soeng Souy /
Share

Laravel Authorization

Authorization is a crucial aspect of web applications, ensuring that users only access the parts of an application they are permitted to. Laravel provides a powerful and flexible authorization system using Gates and Policies. This guide will walk you through implementing authorization in Laravel 10/11.

1. What is Authorization in Laravel?

Authorization in Laravel is used to restrict access to resources based on user roles, permissions, or other conditions. Laravel offers two main methods for handling authorization:

  • Gates: Simple closures that determine if a user can perform an action.
  • Policies: Dedicated classes that group authorization logic for specific models.

2. Using Gates for Authorization

Step 1: Defining a Gate

Gates are typically defined in the App\Providers\AuthServiceProvider.php file inside the boot method:

use Illuminate\Support\Facades\Gate;
use App\Models\User;

public function boot()
{
    Gate::define('view-admin', function (User $user) {
        return $user->role === 'admin';
    });
}

Step 2: Using a Gate in a Controller

You can use the Gate::allows or Gate::denies methods in a controller:

if (Gate::allows('view-admin')) {
    // The user is an admin, grant access
} else {
    abort(403, 'Unauthorized action.');
}

Or use authorize inside a controller method:

public function adminDashboard()
{
    $this->authorize('view-admin');

    return view('admin.dashboard');
}

Step 3: Using Gates in Blade Templates

@can('view-admin')
    <a href="/admin">Admin Panel</a>
@endcan

3. Using Policies for Authorization

Step 1: Creating a Policy

Policies help organize authorization logic into separate classes. Create a policy for a model using:

php artisan make:policy PostPolicy

This will generate a policy file at app/Policies/PostPolicy.php.

Step 2: Registering a Policy

In App\Providers\AuthServiceProvider.php, register the policy:

use App\Models\Post;
use App\Policies\PostPolicy;

protected $policies = [
    Post::class => PostPolicy::class,
];

Step 3: Defining Policy Methods

Modify PostPolicy.php to define authorization logic:

use App\Models\User;
use App\Models\Post;

class PostPolicy
{
    public function update(User $user, Post $post)
    {
        return $user->id === $post->user_id;
    }

    public function delete(User $user, Post $post)
    {
        return $user->id === $post->user_id;
    }
}

Step 4: Using Policies in Controllers

public function update(Request $request, Post $post)
{
    $this->authorize('update', $post);

    // User is authorized to update the post
}

Step 5: Using Policies in Blade Templates

@can('update', $post)
    <a href="{{ route('posts.edit', $post) }}">Edit Post</a>
@endcan

4. Role-Based Authorization

To implement role-based authorization, modify your User model:

class User extends Authenticatable
{
    public function isAdmin()
    {
        return $this->role === 'admin';
    }
}

Then, use it in controllers or Blade templates:

if (auth()->user()->isAdmin()) {
    // Allow access
}

Blade directive:

@if(auth()->user()->isAdmin())
    <a href="/admin">Admin Panel</a>
@endif

5. Middleware for Authorization

Step 1: Creating a Middleware

You can create custom middleware to restrict access based on roles:

php artisan make:middleware AdminMiddleware

Modify app/Http/Middleware/AdminMiddleware.php:

use Closure;
use Illuminate\Http\Request;

class AdminMiddleware
{
    public function handle(Request $request, Closure $next)
    {
        if (!auth()->check() || auth()->user()->role !== 'admin') {
            abort(403, 'Unauthorized.');
        }

        return $next($request);
    }
}

Step 2: Register Middleware in Kernel

In app/Http/Kernel.php, add your middleware:

protected $routeMiddleware = [
    'admin' => \App\Http\Middleware\AdminMiddleware::class,
];

Step 3: Apply Middleware to Routes

In routes/web.php:

Route::middleware('admin')->group(function () {
    Route::get('/admin', function () {
        return view('admin.dashboard');
    });
});

6. API Authorization with Laravel Sanctum

For API authentication, Laravel Sanctum provides a lightweight solution.

Step 1: Install Sanctum

composer require laravel/sanctum

Step 2: Publish the Configuration

php artisan vendor:publish --provider="Laravel\Sanctum\SanctumServiceProvider"
php artisan migrate

Step 3: Protect API Routes

Modify app/Http/Kernel.php:

protected $middlewareGroups = [
    'api' => [
        \Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
        'throttle:api',
        \Illuminate\Routing\Middleware\SubstituteBindings::class,
    ],
];

Step 4: Assign Tokens to Users

In your controller, grant API tokens:

public function login(Request $request)
{
    $user = User::where('email', $request->email)->first();

    if (!$user || !Hash::check($request->password, $user->password)) {
        return response()->json(['error' => 'Unauthorized'], 401);
    }

    $token = $user->createToken('API Token')->plainTextToken;

    return response()->json(['token' => $token]);
}

Step 5: Secure API Routes

In routes/api.php:

Route::middleware('auth:sanctum')->get('/user', function (Request $request) {
    return $request->user();
});

Conclusion

🎉 Congratulations! You now have a solid understanding of Laravel Authorization using Gates, Policies, Middleware, and Laravel Sanctum for APIs.

💬 Have any questions? Let us know in the comments!

Tag
Soeng Souy

Soeng Souy

Website that learns and reads, PHP, Framework Laravel, How to and download Admin template sample source code free.

Post a Comment

CAN FEEDBACK
close