Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Access Control in Laravel

Sponsored · Ship Features Fearlessly Turn features on and off without deploys. Used by thousands of Ruby developers.
Avatar for Fareez Ahamed Fareez Ahamed
February 27, 2016
Programming
4
260

Access Control in Laravel

Introduction to Access Control in Laravel

Avatar for Fareez Ahamed

Fareez Ahamed

February 27, 2016
Tweet

More Decks by Fareez Ahamed

See All by Fareez Ahamed
Laravel Integration Testing
Avatar for Fareez Ahamed fareez
3
140

Other Decks in Programming

See All in Programming
CSC307 Lecture 09
Avatar for Javier Gonzalez-Sanchez javiergs
PRO
1
840
AI Agent の開発と運用を支える Durable Execution #AgentsInProd
Avatar for izumin5210 izumin5210
7
2.3k
高速開発のためのコード整理術
Avatar for sutetotanuki sutetotanuki
1
400
生成AIを使ったコードレビューで定性的に品質カバー
Avatar for Chiaki Okamoto chiilog
1
270
プロダクトオーナーから見たSOC2 _SOC2ゆるミートアップ#2
Avatar for Kenta Suzuki kekekenta
0
220
Oxlintはいいぞ
Avatar for Yuji Yamaguchi yug1224
5
1.3k
AtCoder Conference 2025
Avatar for shindannin shindannin
0
1.1k
Amazon Bedrockを活用したRAGの品質管理パイプライン構築
Avatar for とすり tosuri13
5
750
AIによるイベントストーミング図からのコード生成 / AI-powered code generation from Event Storming diagrams
Avatar for nrs nrslib
2
1.9k
360° Signals in Angular: Signal Forms with SignalStore & Resources @ngLondon 01/2026
Avatar for Manfred Steyer manfredsteyer
PRO
0
130
Rust 製のコードエディタ “Zed” を使ってみた
Avatar for NearMeの技術発表資料です nearme_tech
PRO
0
190
AI Schema Enrichment for your Oracle AI Database
Avatar for thatjeffsmith thatjeffsmith
0
310

Featured

See All Featured
[RailsConf 2023] Rails as a piece of cake
Avatar for Vladimir Dementyev palkan
59
6.3k
Building a A Zero-Code AI SEO Workflow
Avatar for Ian Lurie portentint
PRO
0
320
The Anti-SEO Checklist Checklist. Pubcon Cyber Week
Avatar for Ryan Jones ryanjones
0
68
コードの90%をAIが書く世界で何が待っているのか / What awaits us in a world where 90% of the code is written by AI
Avatar for r-kagaya rkaga
60
42k
Fantastic passwords and where to find them - at NoRuKo
Avatar for Phil Nash philnash
52
3.6k
WENDY [Excerpt]
Avatar for Tessa Abrams tessaabrams
9
36k
Digital Projects Gone Horribly Wrong (And the UX Pros Who Still Save the Day) - Dean Schuster
Avatar for UX Y'all uxyall
0
370
Darren the Foodie - Storyboard
Avatar for Kevinho.art khoart
PRO
2
2.4k
What the history of the web can teach us about the future of AI
Avatar for Ines Montani inesmontani
PRO
1
430
Utilizing Notion as your number one productivity tool
Avatar for Mfonobong Umondia mfonobong
3
220
How to audit for AI Accessibility on your Front & Back End
Avatar for davetheseo davetheseo
0
180
Practical Tips for Bootstrapping Information Extraction Pipelines
Avatar for Matthew Honnibal honnibal
25
1.7k

Transcript

  1. Access Control in Laravel

  2. Access Control in Laravel

  3. What is Access Control?

  4.    ACL 403 200

  5. How to do that in Laravel?

  6. public function index() { //check access if(Gate::denies('view-post-list')) { abort(403); }

    $posts = Post::all(); return response()->json($posts); } denies allows check

  7. But, where do I define the 'ability'?

  8. class AuthServiceProvider extends ServiceProvider { ... public function boot(GateContract $gate)

    { $this->registerPolicies($gate); //Definition of access control $gate->define('view-post-list', function ($user) { return $user->isModerator(); }); } }

  9. But I wan't to give access selectively

  10. public function edit(Request $req, $id) { $post = Post::findOrFail($id); //check

    access if(Gate::denies('edit-post',$post)) { abort(403); } return response()->json($post); }

  11. Now, How to define this?!

  12. $gate->define('edit-post', function ($user, $post){ return $user->id === $post->user_id; });

  13. What if I'm a Super Admin?

  14. $gate->before(function ($user, $ability){ if ($user->isSuperAdmin()) { return true; } });

  15. How to log failed Gate checks?

  16. $gate->after( function ($user, $ability, $result, $arguments){ if (!$result) { //Log

    here } });

  17. Cleaner way to define abilities

  18. $gate->define('update-post', 'Class@method'); Defining in classes

  19. php artisan make:policy PostPolicy Defining Policies

  20. protected $policies = [ Post::class => PostPolicy::class, ]; Advantages Cleaner

    Code Implicitly identifies Policy to use

  21. Blade 'can'!

  22. @can('edit-post', $post) <a href='{{ url('post.edit',$post->id) }}'>Edit Post</a> @else <a class='disabled'

    href='{{ url('post.edit',$post->id) }}'> Edit Post </a> @endcan

  23. Simple Implementation

  24. Schema::create('users', function (Blueprint $table) { $table->increments('id'); $table->string('name'); $table->string('email')->unique(); $table->string('password'); $table->string('roles');

    $table->rememberToken(); $table->timestamps(); }); Add roles to user

  25. class User extends Authenticatable { ... protected $casts = [

    'roles' => 'collection' ]; } Cast roles to Collection

  26. $gate->define('create-post', function($user){ return $user->roles->contains('author'); }); Define the abilities

  27. Now 'Gate!!!' public function create(Request $req) { //check access if(Gate::denies('create-post'))

    { abort(403); } return view('post.create'); }

  28. Thank you! www.fareez.info [email protected]