Laravel authorization policies for methods without arguments like create
I was implementing authorization policies in my Laravel app for determining what users can do what actions. As stated in the documentation, if you want to check a policy, you can do something like this in the controller:
if (Gate::denies('update', $post)) {
abort(403);
}
}
Then Laravel knows that $post
is an instance of the Post
class and can check the policies for that class. But what if we don't have an instance of $post
available for indicating Laravel what policy should it check, since we are for example, about to create a post?
Well, I had to search in the framework code for getting a response to this question, in Illuminate/Auth/Access/Gate.php
there is the following function:
protected function firstArgumentCorrespondsToPolicy(array $arguments)
{
if (! isset($arguments[0])) {
return false;
}
if (is_object($arguments[0])) {
return isset($this->policies[get_class($arguments[0])]);
}
return is_string($arguments[0]) && isset($this->policies[$arguments[0]]);
}
In the last line we can see that we can also pass a string to the denies
function to determine what policy do we want. So we can call the function using a string referring to the model like this:
if (Gate::denies('create', 'App/Post')) {
abort(403);
}
}
And then when defining the policy, there is no need to use a second parameter for referring to the model instance, so it will look like this:
public function create(User $user) {
return [..] //Whatever condition you want
}
Hopes you find this helpful, see you!