6
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill noartem/skills --skill laravel-policies-and-authorization- SKILL.md1.1 KB
Overview
This skill enforces authorization in Laravel applications by guiding the use of Policies and Gates and showing how to standardize controller protections with authorize() and authorizeResource(). It helps teams centralize access rules per model and apply consistent checks across controllers and routes. The guidance reduces boilerplate and makes permission logic easier to test and maintain.
How this skill works
The skill explains creating model-specific Policy classes and registering them in AuthServiceProvider so Laravel resolves authorization automatically. It covers using authorizeResource() in controller constructors to wire resource methods to policy methods, plus one-off checks with authorize() and ad-hoc Gates via Gate::allows or the can middleware on routes. It also highlights test patterns to assert allowed and forbidden responses.
When to use it
- When you need per-model authorization (create, view, update, delete) across controllers
- When you want centralized permission logic to avoid inline checks in controllers
- When routes require quick, declarative protection using can middleware
- When implementing cross-cutting checks like billing or admin-level features via Gates
- When you need clear, testable authorization behavior for API or web endpoints
Best practices
- Generate and scope Policies for each Eloquent model and register them in AuthServiceProvider
- Prefer policy methods (viewAny, view, create, update, delete, restore, forceDelete) over inline checks
- Use $this->authorizeResource(Model::class, 'model') in controllers to auto-map resource actions
- Use ->middleware('can:ability,model') on routes for concise route-level protection
- Write tests asserting actingAs($user)->get(...)->assertForbidden() for denied cases
Example use cases
- Protect a posts resource: create PostPolicy, register it, and add authorizeResource in PostController
- Enforce update/delete so only owners or admins can modify records using policy methods
- Add a Gate for managing billing that applies across controllers and commands
- Use can middleware on a route group to restrict access to moderation tools
- Test authorization flows by asserting responses for allowed and forbidden users
FAQ
Policies map to a specific model and contain methods for common resource actions. Gates are standalone closures or classes for cross-cutting or simple checks not tied to a model.
When should I use authorizeResource() vs authorize()?
Use authorizeResource() in resource controllers to automatically map controller actions to policy methods. Use authorize() for single, ad-hoc checks inside a controller action.