Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Access Control in Laravel

Sponsored · Ship Features Fearlessly Turn features on and off without deploys. Used by thousands of Ruby developers.
Avatar for Fareez Ahamed Fareez Ahamed
February 27, 2016
Programming
4
260

Access Control in Laravel

Introduction to Access Control in Laravel

Avatar for Fareez Ahamed

Fareez Ahamed

February 27, 2016
Tweet

More Decks by Fareez Ahamed

See All by Fareez Ahamed
Laravel Integration Testing
Avatar for Fareez Ahamed fareez
3
140

Other Decks in Programming

See All in Programming
登壇資料を作る時に意識していること #登壇資料_findy
Avatar for konifar konifar
4
1.4k
Oxlintはいいぞ
Avatar for Yuji Yamaguchi yug1224
5
1.3k
MUSUBIXとは
Avatar for Hisaho nahisaho
0
140
Fluid Templating in TYPO3 14
Avatar for Simon Praetorius s2b
0
130
AIによる高速開発をどう制御するか? ガードレール設置で開発速度と品質を両立させたチームの事例
Avatar for tonkotsuboy_com tonkotsuboy_com
7
2.4k
AtCoder Conference 2025
Avatar for shindannin shindannin
0
1.1k
疑似コードによるプロンプト記述、どのくらい正確に実行される?
Avatar for kokuyouwind kokuyouwind
0
390
[KNOTS 2026登壇資料]AIで拡張‧交差する プロダクト開発のプロセス および携わるメンバーの役割
Avatar for hisatake hisatake
0
290
責任感のあるCloudWatchアラームを設計しよう
Avatar for アキキー akihisaikeda
3
180
16年目のピクシブ百科事典を支える最新の技術基盤 / The Modern Tech Stack Powering Pixiv Encyclopedia in its 16th Year
Avatar for ahu ahuglajbclajep
5
1k
IFSによる形状設計/デモシーンの魅力 @ 慶應大学SFC
Avatar for がむ gam0022
1
310
CSC307 Lecture 09
Avatar for Javier Gonzalez-Sanchez javiergs
PRO
1
840

Featured

See All Featured
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
Avatar for Tammy Everts tammyeverts
55
3.2k
From Legacy to Launchpad: Building Startup-Ready Communities
Avatar for Dug Song dugsong
0
140
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
Avatar for panda_program panda_program
122
21k
[RailsConf 2023 Opening Keynote] The Magic of Rails
Avatar for Eileen M. Uchitelle eileencodes
31
9.9k
Lightning Talk: Beautiful Slides for Beginners
Avatar for Ines Montani inesmontani
PRO
1
440
Documentation Writing (for coders)
Avatar for Carmen Chung carmenintech
77
5.3k
Self-Hosted WebAssembly Runtime for Runtime-Neutral Checkpoint/Restore in Edge–Cloud Continuum
Avatar for Yuki Nakata chikuwait chikuwait
0
330
We Have a Design System, Now What?
Avatar for Morgane Peng morganepeng
54
8k
For a Future-Friendly Web
Avatar for Brad Frost brad_frost
182
10k
Making the Leap to Tech Lead
Avatar for Ryan Cromwell cromwellryan
135
9.7k
Public Speaking Without Barfing On Your Shoes - THAT 2023
Avatar for David Neal reverentgeek
1
310
Google's AI Overviews - The New Search
Avatar for Barry Adams badams
0
910

Transcript

  1. Access Control in Laravel

  2. Access Control in Laravel

  3. What is Access Control?

  4.    ACL 403 200

  5. How to do that in Laravel?

  6. public function index() { //check access if(Gate::denies('view-post-list')) { abort(403); }

    $posts = Post::all(); return response()->json($posts); } denies allows check

  7. But, where do I define the 'ability'?

  8. class AuthServiceProvider extends ServiceProvider { ... public function boot(GateContract $gate)

    { $this->registerPolicies($gate); //Definition of access control $gate->define('view-post-list', function ($user) { return $user->isModerator(); }); } }

  9. But I wan't to give access selectively

  10. public function edit(Request $req, $id) { $post = Post::findOrFail($id); //check

    access if(Gate::denies('edit-post',$post)) { abort(403); } return response()->json($post); }

  11. Now, How to define this?!

  12. $gate->define('edit-post', function ($user, $post){ return $user->id === $post->user_id; });

  13. What if I'm a Super Admin?

  14. $gate->before(function ($user, $ability){ if ($user->isSuperAdmin()) { return true; } });

  15. How to log failed Gate checks?

  16. $gate->after( function ($user, $ability, $result, $arguments){ if (!$result) { //Log

    here } });

  17. Cleaner way to define abilities

  18. $gate->define('update-post', 'Class@method'); Defining in classes

  19. php artisan make:policy PostPolicy Defining Policies

  20. protected $policies = [ Post::class => PostPolicy::class, ]; Advantages Cleaner

    Code Implicitly identifies Policy to use

  21. Blade 'can'!

  22. @can('edit-post', $post) <a href='{{ url('post.edit',$post->id) }}'>Edit Post</a> @else <a class='disabled'

    href='{{ url('post.edit',$post->id) }}'> Edit Post </a> @endcan

  23. Simple Implementation

  24. Schema::create('users', function (Blueprint $table) { $table->increments('id'); $table->string('name'); $table->string('email')->unique(); $table->string('password'); $table->string('roles');

    $table->rememberToken(); $table->timestamps(); }); Add roles to user

  25. class User extends Authenticatable { ... protected $casts = [

    'roles' => 'collection' ]; } Cast roles to Collection

  26. $gate->define('create-post', function($user){ return $user->roles->contains('author'); }); Define the abilities

  27. Now 'Gate!!!' public function create(Request $req) { //check access if(Gate::denies('create-post'))

    { abort(403); } return view('post.create'); }

  28. Thank you! www.fareez.info [email protected]