laravel-policies-and-authorization_skill

This skill helps enforce Laravel access control by applying policies and gates in controllers and routes, ensuring consistent authorization checks.
  • JavaScript

6

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill noartem/skills --skill laravel-policies-and-authorization

  • SKILL.md1.1 KB

Overview

This skill enforces authorization in Laravel applications by guiding the use of Policies and Gates and showing how to standardize controller protections with authorize() and authorizeResource(). It helps teams centralize access rules per model and apply consistent checks across controllers and routes. The guidance reduces boilerplate and makes permission logic easier to test and maintain.

How this skill works

The skill explains creating model-specific Policy classes and registering them in AuthServiceProvider so Laravel resolves authorization automatically. It covers using authorizeResource() in controller constructors to wire resource methods to policy methods, plus one-off checks with authorize() and ad-hoc Gates via Gate::allows or the can middleware on routes. It also highlights test patterns to assert allowed and forbidden responses.

When to use it

  • When you need per-model authorization (create, view, update, delete) across controllers
  • When you want centralized permission logic to avoid inline checks in controllers
  • When routes require quick, declarative protection using can middleware
  • When implementing cross-cutting checks like billing or admin-level features via Gates
  • When you need clear, testable authorization behavior for API or web endpoints

Best practices

  • Generate and scope Policies for each Eloquent model and register them in AuthServiceProvider
  • Prefer policy methods (viewAny, view, create, update, delete, restore, forceDelete) over inline checks
  • Use $this->authorizeResource(Model::class, 'model') in controllers to auto-map resource actions
  • Use ->middleware('can:ability,model') on routes for concise route-level protection
  • Write tests asserting actingAs($user)->get(...)->assertForbidden() for denied cases

Example use cases

  • Protect a posts resource: create PostPolicy, register it, and add authorizeResource in PostController
  • Enforce update/delete so only owners or admins can modify records using policy methods
  • Add a Gate for managing billing that applies across controllers and commands
  • Use can middleware on a route group to restrict access to moderation tools
  • Test authorization flows by asserting responses for allowed and forbidden users

FAQ

Policies map to a specific model and contain methods for common resource actions. Gates are standalone closures or classes for cross-cutting or simple checks not tied to a model.

When should I use authorizeResource() vs authorize()?

Use authorizeResource() in resource controllers to automatically map controller actions to policy methods. Use authorize() for single, ad-hoc checks inside a controller action.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational