In Laravel, the @can Blade directive is used to check in the view whether the user has permission to perform a specific action. 1. The basic usage is @can('ability name', model), for example, when displaying the "Edit" button, use @can('edit-post', $post) to wrap the link; 2. You can combine the @else or @cannot instructions to handle alternative content when there is no permission; 3. If the policy method requires multiple parameters, it can be passed through an array, such as @can('update-comment', [$comment, $post]); 4. For global permissions that do not involve the model, you can directly use @can('manage-settings') to check. This directive simplifies authorization logic in the view, making the template clearer and easier to read while ensuring that users can only see what they have permission to access.

In Laravel, the @can Blade directive is a straightforward way to check if a user has permission to perform a specific action in your views. You don't need to handle authorization logic directly in your templates — @can keeps things clean and readable by wrapping conditional view elements based on permissions.

How to Use the Basic @can Directive

The most common use of @can is checking whether a user can perform a specific action. For example, you might want to show an "Edit" button only if the user is allowed to edit a post.

 @can('edit-post', $post)
    <a href="{{ route(&#39;posts.edit&#39;, $post) }}">Edit Post</a>
@endcan

Here, 'edit-post' is the name of the ability or policy method you're checking, and $post is the model instance being evaluated.

This works if you've already defined the corresponding authorization logic either in a policy or via the Gate facade in a service provider.

Tip: If you're using policies, make sure the model (like Post ) is registered with its matching policy in the AuthServiceProvider .

Combining @can With Other Directives Like @else and @cannot

Sometimes you want to display alternative content when a user doesn't have permission. You can combine @can with @else or use the @cannot directive for clarity.

 @can('delete-post', $post)
    <button>Delete Post</button>
@else
    <p>You are not allowed to delete this post.</p>
@endcan

Or:

 @cannot('delete-post', $post)
    <p>You cannot delete this post.</p>
@endcannot

These variations help you write more expressive templates without falling back to raw PHP conditions.

Passing Multiple Parameters to Policies

If your policy method requires multiple parameters (for example, checking if a user can update a comment on a specific post), you can pass them as an array.

 @can('update-comment', [$comment, $post])
    <a href="{{ route(&#39;comments.edit&#39;, $comment) }}">Edit Comment</a>
@endcan

In this case, your policy's update method should accept both the user, the comment, and the post:

 public function update(User $user, Comment $comment, Post $post)
{
    return $user->id === $comment->user_id;
}

Just make sure the order matches what your policy expects.

Using @can Without a Model (For General Ability)

Not all permissions related to a specific model. For global abilities like "manage-settings", you can skip the model entirely:

 @can('manage-settings')
    <a href="{{ route(&#39;settings&#39;) }}">Manage Site Settings</a>
@endcan

This checks if the user has that general capability, which might be defined like this in a service provider:

 Gate::define('manage-settings', function ($user) {
    return $user->hasRole('admin');
});

You can also define this in a dedicated policy if needed, but it's often simpler to use gates for global permissions.

That's basically how you work with @can in Blade. It's not complicated, but it helps keep your UI consistent with your app's access rules — and avoids showing buttons or links users shouldn't see in the first place.

The above is the detailed content of How do I use the @can Blade directive to check authorization permissions?. For more information, please follow other related articles on the PHP Chinese website!