Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Access Control in Laravel

Sponsored · Ship Features Fearlessly Turn features on and off without deploys. Used by thousands of Ruby developers.
Avatar for Fareez Ahamed Fareez Ahamed
February 27, 2016
Programming
4
260

Access Control in Laravel

Introduction to Access Control in Laravel

Avatar for Fareez Ahamed

Fareez Ahamed

February 27, 2016
Tweet

More Decks by Fareez Ahamed

See All by Fareez Ahamed
Laravel Integration Testing
Avatar for Fareez Ahamed fareez
3
140

Other Decks in Programming

See All in Programming
AIによる高速開発をどう制御するか? ガードレール設置で開発速度と品質を両立させたチームの事例
Avatar for tonkotsuboy_com tonkotsuboy_com
7
2.4k
AI Schema Enrichment for your Oracle AI Database
Avatar for thatjeffsmith thatjeffsmith
0
300
Unicodeどうしてる? PHPから見たUnicode対応と他言語での対応についてのお伺い
Avatar for てきめん tekimen youkidearitai
PRO
1
2.6k
QAフローを最適化し、品質水準を満たしながらリリースまでの期間を最短化する #RSGT2026
Avatar for shibayu36 shibayu36
2
4.4k
副作用をどこに置くか問題:オブジェクト指向で整理する設計判断ツリー
Avatar for Koya Masuda koxya
1
610
16年目のピクシブ百科事典を支える最新の技術基盤 / The Modern Tech Stack Powering Pixiv Encyclopedia in its 16th Year
Avatar for ahu ahuglajbclajep
5
1k
AI時代の認知負荷との向き合い方
Avatar for OptFit Corp. optfit
0
160
CSC307 Lecture 01
Avatar for Javier Gonzalez-Sanchez javiergs
PRO
0
690
なぜSQLはAIぽく見えるのか/why does SQL look AI like
Avatar for florets1 florets1
0
470
AIで開発はどれくらい加速したのか?AIエージェントによるコード生成を、現場の評価と研究開発の評価の両面からdeep diveしてみる
Avatar for どすこい daisuketakeda
1
2.5k
Oxlint JS plugins
Avatar for kazupon kazupon
1
970
2026年 エンジニアリング自己学習法
Avatar for yumechi(Motoki Hirao) yumechi
0
140

Featured

See All Featured
Paper Plane (Part 1)
Avatar for Katie Cordina Lindsey katiecoart
PRO
0
4.3k
svc-hook: hooking system calls on ARM64 by binary rewriting
Avatar for Akira Moroo retrage
1
100
GraphQLの誤解/rethinking-graphql
Avatar for sonatard sonatard
74
11k
Easily Structure & Communicate Ideas using Wireframe
Avatar for Afnizar Nur Ghifari afnizarnur
194
17k
AI in Enterprises - Java and Open Source to the Rescue
Avatar for ivargrimstad ivargrimstad
0
1.1k
sira's awesome portfolio website redesign presentation
Avatar for ElsiraPls elsirapls
0
150
Measuring Dark Social's Impact On Conversion and Attribution
Avatar for Stephen Akadiri stephenakadiri
1
130
Evolving SEO for Evolving Search Engines
Avatar for Ryan Jones ryanjones
0
130
[RailsConf 2023 Opening Keynote] The Magic of Rails
Avatar for Eileen M. Uchitelle eileencodes
31
9.9k
Visual Storytelling: How to be a Superhuman Communicator
Avatar for David Neal reverentgeek
2
430
Let's Do A Bunch of Simple Stuff to Make Websites Faster
Avatar for Chris Coyier chriscoyier
508
140k
A Tale of Four Properties
Avatar for Chris Coyier chriscoyier
162
24k

Transcript

  1. Access Control in Laravel

  2. Access Control in Laravel

  3. What is Access Control?

  4.    ACL 403 200

  5. How to do that in Laravel?

  6. public function index() { //check access if(Gate::denies('view-post-list')) { abort(403); }

    $posts = Post::all(); return response()->json($posts); } denies allows check

  7. But, where do I define the 'ability'?

  8. class AuthServiceProvider extends ServiceProvider { ... public function boot(GateContract $gate)

    { $this->registerPolicies($gate); //Definition of access control $gate->define('view-post-list', function ($user) { return $user->isModerator(); }); } }

  9. But I wan't to give access selectively

  10. public function edit(Request $req, $id) { $post = Post::findOrFail($id); //check

    access if(Gate::denies('edit-post',$post)) { abort(403); } return response()->json($post); }

  11. Now, How to define this?!

  12. $gate->define('edit-post', function ($user, $post){ return $user->id === $post->user_id; });

  13. What if I'm a Super Admin?

  14. $gate->before(function ($user, $ability){ if ($user->isSuperAdmin()) { return true; } });

  15. How to log failed Gate checks?

  16. $gate->after( function ($user, $ability, $result, $arguments){ if (!$result) { //Log

    here } });

  17. Cleaner way to define abilities

  18. $gate->define('update-post', 'Class@method'); Defining in classes

  19. php artisan make:policy PostPolicy Defining Policies

  20. protected $policies = [ Post::class => PostPolicy::class, ]; Advantages Cleaner

    Code Implicitly identifies Policy to use

  21. Blade 'can'!

  22. @can('edit-post', $post) <a href='{{ url('post.edit',$post->id) }}'>Edit Post</a> @else <a class='disabled'

    href='{{ url('post.edit',$post->id) }}'> Edit Post </a> @endcan

  23. Simple Implementation

  24. Schema::create('users', function (Blueprint $table) { $table->increments('id'); $table->string('name'); $table->string('email')->unique(); $table->string('password'); $table->string('roles');

    $table->rememberToken(); $table->timestamps(); }); Add roles to user

  25. class User extends Authenticatable { ... protected $casts = [

    'roles' => 'collection' ]; } Cast roles to Collection

  26. $gate->define('create-post', function($user){ return $user->roles->contains('author'); }); Define the abilities

  27. Now 'Gate!!!' public function create(Request $req) { //check access if(Gate::denies('create-post'))

    { abort(403); } return view('post.create'); }

  28. Thank you! www.fareez.info [email protected]