DEV Community

ashrakt
ashrakt

Posted on • Edited on

Authorization in Laravel

#laravel #backenddevelopment

What Is Authorization?
First, think about a website with different types of users, like a regular user and an admin. Authorization is the system that checks what a logged-in user is allowed to do.
Authorization happens after a user has already logged in and been authenticated (proven who they are).

In Laravel, authorization is the process of determining if a user has permission to perform a specific action.

Laravel provides two main tools for this: Gates and Policies.

1) Gates are the simplest way to check a user's permissions. They are perfect for general permissions that don't relate to a specific data item (model). For example, checking if a user is an "admin" or "editor".

I- How to Use a Gate
Open the app/Providers/AuthServiceProvider.php file and define your gate inside the boot() method.
You define a Gate in your app/Providers/AuthServiceProvider.php file. It's a simple function that returns true or false.

Here, access-admin-panel is the name of the gate, and the function inside checks if the user's is_admin property is true.

II- Use the Gate
You can use the gate anywhere in your application, like in a Controller or a Blade view.

In a Controller:

2) Policies
Policies are used for more specific permissions that are tied to a particular data model. They are the best way to manage permissions for actions like "updating a post" or "deleting a post".

Let's say you want to allow a user to only update the posts they have created themselves.

I- Create the Policy:
Use the Artisan command to create a policy for your Post model.

php artisan make:policy PostPolicy --model=Post

This command creates a new file at app/Policies/PostPolicy.php with built-in methods like view, create, update, and delete.

II- Write the Policy Logic:
In PostPolicy.php, add your logic to the update method to check if the user is the owner of the post.

The update method receives the User and the Post and returns true only if the user's ID matches the post's user_id.

III- Register the Policy:

Tell Laravel to use this policy for the Post model in app/Providers/AuthServiceProvider.php.

IIII- Use the Policy:

-In a Controller:

  • if the policy return true

  • if return false

Spatie Laravel Permission package:

  • If you need to manage different user roles (admin, editor, subscriber) and assign permissions to those roles.

  • When you have many permissions (create posts, edit posts, delete posts, publish posts, unpublish posts), managing them in a Policy becomes repetitive. Packages allow you to define and manage these permissions in the database, making them easier to add, remove, and assign.

  • If your application needs to allow an admin to create and manage custom roles and permissions through a user interface, a package is a must. Policies are static PHP classes that must be updated manually by a developer. A package stores all permissions in the database, allowing for dynamic management without touching the code.
    ---------------------------------------------

how to use:

I- Install the Package

  • composer require spatie/laravel-permission

After the package is installed, you need to publish the migration file and run it to create the necessary database tables.

  • php artisan vendor:publish --provider="Spatie\Permission\PermissionServiceProvider" --tag="permission-migrations"

  • php artisan migrate

This will create new tables:

  • permissions: This table stores all your permissions (e.g., edit posts, delete users).

  • roles: This table stores all your roles (e.g., admin, writer, subscriber).

  • model_has_permissions: This is a pivot table that links users (or other models) directly to permissions. This allows you to give a user a permission without assigning them a role.

  • model_has_roles: This is a pivot table that links users to roles. A user can have many roles, and a role can be assigned to many users.

  • role_has_permissions: This is a pivot table that links roles to permissions. It allows a role to have many permissions and a permission to be assigned to many roles.

II- Prepare the User Model
Open the app/Models/User.php file and add the HasRoles trait.

III- Create Roles and Permissions
you need to create your roles and permissions. You can do this with a seeder file.

Run this command to make a seeder:

  • php artisan make:seeder RolesAndPermissionsSeeder

Open the new seeder file at database/seeders/RolesAndPermissionsSeeder.php and add your code to create roles like admin and permissions like edit posts.

After you write the code, run the seeder:

  • php artisan db:seed --class=RolesAndPermissionsSeeder

-permissions table

-roles table

-role_has_permissions table

Top comments (0)