What Is Authorization?
First, think about a website with different types of users, like a regular user and an admin. Authorization is the system that checks what a logged-in user is allowed to do.
Authorization happens after a user has already logged in and been authenticated (proven who they are).
In Laravel, authorization is the process of determining if a user has permission to perform a specific action.
Laravel provides two main tools for this: Gates and Policies.
1) Gates are the simplest way to check a user's permissions. They are perfect for general permissions that don't relate to a specific data item (model). For example, checking if a user is an "admin" or "editor".
I- How to Use a Gate
Open the app/Providers/AuthServiceProvider.php file and define your gate inside the boot() method.
You define a Gate in your app/Providers/AuthServiceProvider.php file. It's a simple function that returns true or false.
Here, access-admin-panel is the name of the gate, and the function inside checks if the user's is_admin property is true.
II- Use the Gate
You can use the gate anywhere in your application, like in a Controller or a Blade view.
In a Controller:
2) Policies
Policies are used for more specific permissions that are tied to a particular data model. They are the best way to manage permissions for actions like "updating a post" or "deleting a post".
Let's say you want to allow a user to only update the posts they have created themselves.
I- Create the Policy:
Use the Artisan command to create a policy for your Post model.
php artisan make:policy PostPolicy --model=Post
This command creates a new file at app/Policies/PostPolicy.php with built-in methods like view, create, update, and delete.
II- Write the Policy Logic:
In PostPolicy.php, add your logic to the update method to check if the user is the owner of the post.
The update method receives the User and the Post, returns true only if the user's ID matches the post's user_id.
III- Register the Policy:
Tell Laravel to use this policy for the Post model in app/Providers/AuthServiceProvider.php.
IIII- Use the Policy:
-In a Controller:
- if the policy return true
- if return false
Spatie Laravel Permission package:
If you need to manage different user roles (admin, editor, subscriber,...) and assign permissions to those roles.
When you have many permissions (create posts, edit posts, delete posts, publish posts, unpublish posts), managing them in a Policy becomes repetitive. Packages allow you to define and manage these permissions in the database, making them easier to add, remove, and assign.
If your application needs to allow an admin to create and manage custom roles and permissions through a user interface, a package is a must. Policies are static PHP classes that must be updated manually by a developer. A package stores all permissions in the database, allowing for dynamic management without touching the code.
---------------------------------------------
how to use:
I- Install the Package
- composer require spatie/laravel-permission
After the package is installed, you need to publish the migration file and run it to create the necessary database tables.
php artisan vendor:publish --provider="Spatie\Permission\PermissionServiceProvider" --tag="permission-migrations"
php artisan migrate
This will create new tables:
permissions: This table stores all your permissions (e.g., edit posts, delete users).
roles: This table stores all your roles (e.g., admin, writer, subscriber).
model_has_permissions: This is a pivot table that links users directly to permissions. This allows you to give a user a permission without assigning them a role.
model_has_roles: This is a pivot table that links users to roles. A user can have many roles, and a role can be assigned to many users.
role_has_permissions: This is a pivot table that links roles to permissions. It allows a role to have many permissions and a permission to be assigned to many roles.
II- Prepare the User Model
Open the app/Models/User.php file and add the HasRoles trait.
III- Create Roles and Permissions
you need to create your roles and permissions. You can do this with a seeder file.
Run this command to make a seeder:
- php artisan make:seeder RolesAndPermissionsSeeder
Open the new seeder file at database/seeders/RolesAndPermissionsSeeder.php and add your code to create roles like admin and permissions like edit posts.
After you write the code, run the seeder:
- php artisan db:seed --class=RolesAndPermissionsSeeder
-permissions table
-roles table
-role_has_permissions table
-model_has_roles table
IIII- Use Permissions in Your API
Go to your routes/api.php file. You can protect a route by adding the permission or role middleware. This middleware checks the user's permissions before the code even runs.
The 'auth:sanctum' part makes sure the user is logged in first. The 'permission:...' part then checks if they have the right to do that action.
you need to register the role and permission middleware aliases.
Open the app/Http/Kernel.php file in your project.
Find the $middlewareAliases array.
Add the following two lines to the array. They link the middleware aliases to the correct classes from the Spatie package.
if user writer :
if admin :
You can also check permissions inside controller.
If the authenticated user doesn't have edit posts permission.
else
if you have both admin and writer roles that should have the same edit permission, the best way to protect your API is with a single middleware check on the route.
You should use your code (specifically, a seeder) for the initial setup of your main roles and permissions.
However, for managing roles and permissions daily from a UI, you should not edit your code. Instead, you'll manage everything through a dedicated API. This is one of the main reasons to use a package like Spatie.
Managing from a UI via an API
Here’s a simple example of what a controller method for your API would look like to assign a role to a user based on a UI request.
I- api
II- Update User's Role
III- Update Role's Permissions
IIII- Update User's Permissions
model_has_permissions table
thanks...
Top comments (0)