Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Access Control in Laravel

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for Fareez Ahamed Fareez Ahamed
February 27, 2016
Programming
4
260

Access Control in Laravel

Introduction to Access Control in Laravel

Avatar for Fareez Ahamed

Fareez Ahamed

February 27, 2016
Tweet

More Decks by Fareez Ahamed

See All by Fareez Ahamed
Laravel Integration Testing
Avatar for Fareez Ahamed fareez
3
140

Other Decks in Programming

See All in Programming
それはエンジニアリングの糧である:AI開発のためにAIのOSSを開発する現場より / It serves as fuel for engineering: insights from the field of developing open-source AI for AI development.
Avatar for nrs nrslib
1
540
DevinとClaude Code、SREの現場で使い倒してみた件
Avatar for karia/Y.Hisamatsu karia
1
1.1k
20260320登壇資料
Avatar for 松井遼(まついはるか) pharct
0
120
ふつうのRubyist、ちいさなデバイス、大きな一年 / Ordinary Rubyists, Tiny Devices, Big Year
Avatar for chobishiba chobishiba
1
500
OTP を自動で入力する裏技
Avatar for Megabits_mzq megabitsenmzq
0
130
Takumiから考えるSecurity_Maturity_Model.pdf
Avatar for gessy0129 gessy0129
1
160
野球解説AI Agentを開発してみた - 2026/02/27 LayerX社内LT会資料
Avatar for Shinichi Nakagawa shinyorke
PRO
0
370
How to stabilize UI tests using XCTest
Avatar for Akio Itaya akkeylab
0
140
コードレビューをしない選択 #でぃーぷらすトウキョウ
Avatar for Takuma Kajikawa kajitack
3
1.1k
AI時代の脳疲弊と向き合う ~言語学としてのPHP~
Avatar for Sakurai sakuraikotone
1
1.6k
Laravel Nightwatchの裏側 - Laravel公式Observabilityツールを支える設計と実装
Avatar for Ryuta Hamasaki avosalmon
1
230
モダンOBSプラグイン開発
Avatar for Kaito Udagawa umireon
0
180

Featured

See All Featured
For a Future-Friendly Web
Avatar for Brad Frost brad_frost
183
10k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
Avatar for Marc Duiker marcduiker
35
2.4k
A Guide to Academic Writing Using Generative AI - A Workshop
Avatar for Kenji Saito ks91
PRO
0
240
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
Avatar for Tammy Everts tammyeverts
55
3.3k
Balancing Empowerment & Direction
Avatar for Lara Hogan lara
5
980
Designing Experiences People Love
Avatar for Jonathan Moore moore
143
24k
コードの90%をAIが書く世界で何が待っているのか / What awaits us in a world where 90% of the code is written by AI
Avatar for r-kagaya rkaga
61
43k
Understanding Cognitive Biases in Performance Measurement
Avatar for Philip Tellis bluesmoon
32
2.8k
svc-hook: hooking system calls on ARM64 by binary rewriting
Avatar for Akira Moroo retrage
2
180
Docker and Python
Avatar for Tania Allard trallard
47
3.8k
Measuring & Analyzing Core Web Vitals
Avatar for Philip Tellis bluesmoon
9
790
Avoiding the “Bad Training, Faster” Trap in the Age of AI
Avatar for Mike Taylor tmiket
0
110

Transcript

  1. Access Control in Laravel

  2. Access Control in Laravel

  3. What is Access Control?

  4.    ACL 403 200

  5. How to do that in Laravel?

  6. public function index() { //check access if(Gate::denies('view-post-list')) { abort(403); }

    $posts = Post::all(); return response()->json($posts); } denies allows check

  7. But, where do I define the 'ability'?

  8. class AuthServiceProvider extends ServiceProvider { ... public function boot(GateContract $gate)

    { $this->registerPolicies($gate); //Definition of access control $gate->define('view-post-list', function ($user) { return $user->isModerator(); }); } }

  9. But I wan't to give access selectively

  10. public function edit(Request $req, $id) { $post = Post::findOrFail($id); //check

    access if(Gate::denies('edit-post',$post)) { abort(403); } return response()->json($post); }

  11. Now, How to define this?!

  12. $gate->define('edit-post', function ($user, $post){ return $user->id === $post->user_id; });

  13. What if I'm a Super Admin?

  14. $gate->before(function ($user, $ability){ if ($user->isSuperAdmin()) { return true; } });

  15. How to log failed Gate checks?

  16. $gate->after( function ($user, $ability, $result, $arguments){ if (!$result) { //Log

    here } });

  17. Cleaner way to define abilities

  18. $gate->define('update-post', 'Class@method'); Defining in classes

  19. php artisan make:policy PostPolicy Defining Policies

  20. protected $policies = [ Post::class => PostPolicy::class, ]; Advantages Cleaner

    Code Implicitly identifies Policy to use

  21. Blade 'can'!

  22. @can('edit-post', $post) <a href='{{ url('post.edit',$post->id) }}'>Edit Post</a> @else <a class='disabled'

    href='{{ url('post.edit',$post->id) }}'> Edit Post </a> @endcan

  23. Simple Implementation

  24. Schema::create('users', function (Blueprint $table) { $table->increments('id'); $table->string('name'); $table->string('email')->unique(); $table->string('password'); $table->string('roles');

    $table->rememberToken(); $table->timestamps(); }); Add roles to user

  25. class User extends Authenticatable { ... protected $casts = [

    'roles' => 'collection' ]; } Cast roles to Collection

  26. $gate->define('create-post', function($user){ return $user->roles->contains('author'); }); Define the abilities

  27. Now 'Gate!!!' public function create(Request $req) { //check access if(Gate::denies('create-post'))

    { abort(403); } return view('post.create'); }

  28. Thank you! www.fareez.info [email protected]