Slide 4
Slide 4 text
@drbytezc
drbyte.dev
public function update(Request $request, $id)
{
$post == Post::find($id);
//
abort_unless($request->user()->can('update-post', $post),
403, 'Not allowed to update');
abort_if($request->user()->cannot('update-post', $post),
403, 'Not allowed to update');
$post->save();
}
$user->can() / cannot()
13
@drbytezc
drbyte.dev
php artisan make:policy PostPolicy --model=Post
class PostPolicy
{
use HandlesAuthorization;
public function viewAny(User $user) { }
public function view(User $user, Post $post) { }
public function create(User $user) { }
public function update(User $user, Post $post) { }
public function delete(User $user, Post $post) { }
public function restore(User $user, Post $post) { }
public function forceDelete(User $user, Post $post) { }
}
14
@drbytezc
drbyte.dev
Policy Methods (return: boolean)
class PostPolicy
{
use HandlesAuthorization;
public function view(?User $user, Post $post)
{
// everyone can view all visible posts
return (bool)$post->isVisible;
}
public function update(User $user, Post $post)
{
// can update their own post
return $user->id === $post->author_id;
}
}
15
@drbytezc
drbyte.dev
Controller: $this->authorize()
class PostsController extends Controller
{
/**
* @param $id
* @throws \Illuminate\Auth\Access\AuthorizationException
*/
public function edit($id)
{
$post = Post::find($id);
// PostPolicy@update
$this->authorize('update', $post);
return view('posts.edit');
}
}
16
Laracon EU 2019 - Close the Gate! Laravel Authorization.key - August 29, 2019