Laravel's authorization system provides strong access control through Gates and Policies. 1. Gates is used for simple operation checks, such as "Create Administrator Articles", which defines permissions through closures and uses Gate::allows or @can for verification in the controller or view; 2. Policies is used for model-based authorization logic, such as editing or deleting a specific article, generating a policy class through Artisan and registering with AuthServiceProvider, and then using $this->authorize in the controller to trigger the corresponding policy method; 3. Gates and Policies can be used in combination, which handles global permissions such as "Manage Users", and Policies handles model instance permissions, and automatically maps the controller method name to the policy method; 4. By default, unauthorized will throw an AuthorizationException, which can be customized by rewriting the exception handler, such as returning JSON format error information. The system is flexible and requires no third-party expansion to meet most application needs.

Laravel's authorization system is powerful and straightforward once you get the hang of it. At its core, it gives you tools like Gates and Policies to control who can access certain actions or resources in your app. You don't need to use third-party packages if all you want is basic or even moderately complex access control — Laravel has you covered out of the box.

Let's break down how to use it effectively.

1. Start with Gates for Simple Checks

Gates are closure-based checks that determine whether a user can perform a specific action. They're great for one-off checks or when the logic doesn't tie directly to a model.

For example, checking if a user can create an admin post:

 Gate::define('create-admin-post', function ($user) {
    return $user->isAdmin();
});

Then in your controller or blade view, you can check like this:

 if (Gate::allows('create-admin-post')) {
    // Let them proceed
}

Or in Blade:

 @can('create-admin-post')
    <button>Create Admin Post</button>
@endcan

Tip : Use gates for general permissions that don't revolution around a specific model instance, like "delete any post" or "access dashboard".

2. Use Policies for Model-Based Authorization

When your authorization logic is tied to a specific model — like checking if a user can edit or delete a post — policies are the way to go.

First, generate a policy using Artisan:

 php artisan make:policy PostPolicy --model=Post

This creates a file in app/Policies/PostPolicy.php . Then register it in AuthServiceProvider :

 protected $policies = [
    Post::class => PostPolicy::class,
];

In your policy class, define methods like update , delete , etc. For example:

 public function update(User $user, Post $post)
{
    return $user->id === $post->author_id;
}

Now in your controller, you can do:

 $this->authorize('update', $post);

If the user isn't allowed, Laravel will throw an AuthorizationException .

Note : If you're working with APIs or need custom responses, wrap this in a try/catch block or handle it globally via exception rendering.

3. Combine Gates and Policies for Flexibility

You don't have to pick just one. You can mix Gates and Policies based on context.

• Use Gates for global permissions like "manage users", "view analytics".
• Use Policies when dealing with specific model instances.

Also, remember that policies automatically map controller method names ( view , create , update , delete ) to corresponding policy methods. That means if you call $this->authorize('update', $post) in your controller, Laravel knows to look for the update method in the policy.

4. Handle Unauthorized Access Gracefully

By default, Laravel throws an AuthorizationException when someone tries to do something they shouldn't. But you might want to customize the response, especially for JSON APIs.

In App/Exceptions/Handler.php , you can catch this and return a 403 or custom message:

 use Illuminate\Auth\Access\AuthorizationException;

public function render($request, Throwable $exception)
{
    if ($exception instanceof AuthorizationException) {
        return response()->json(['error' => 'You are not authorized to do this.'], 403);
    }

    return parent::render($request, $exception);
}

That's basically it. Laravel's built-in authorization system is flexible enough for most apps, and combining Gates and Policies give you fine-grained control without bloating your code. It's not overly flashy, but it gets the job done well — as long as you understand when to use each part.

The above is the detailed content of How do I use Laravel's authorization system to control access to resources?. For more information, please follow other related articles on the PHP Chinese website!