Laravel

Mastering Laravel Policies for Clean Authorization

ME
Mohamed Elogail
8 hours ago
12 min read
Mastering Laravel Policies for Clean Authorization

Mastering Laravel Policies for Clean Authorization

What You Will Learn

  • The fundamental difference between authentication and authorization.
  • How to identify and solve the authorization logic mess in growing applications.
  • The core concept of Laravel Policies and why they are superior for model-based logic.
  • When to choose Gates versus Policies.
  • Creating, registering, and structuring Policy classes.
  • Implementing CRUD and custom authorization methods.
  • Using Policies in Controllers, Blade templates, and Routes.
  • Best practices for maintainable authorization and testing strategies.

1. Introduction to Authorization in Web Applications

In the world of web development, security is often divided into two main pillars: authentication and authorization. While authentication identifies who a user is (usually via login), authorization determines what that user is allowed to do. In modern applications, robust authorization is critical. It prevents unauthorized users from deleting data, accessing private records, or performing administrative tasks they don't have permission for. Controlling these permissions effectively is the difference between a secure system and a vulnerable one.

2. The Authorization Problem in Growing Applications

When an application starts small, developers often hard-code permission checks directly inside their Controllers or Service layers. While this works initially, it quickly leads to a maintenance nightmare. As the codebase grows, you might find the same owner-check logic duplicated in multiple controllers (e.g., checking if a user owns a post before editing it in both the Web and API controllers). This duplication makes it incredibly difficult to update rules and increases the risk of security gaps where a check might be forgotten.

3. What Are Laravel Policies

Laravel Policies are classes that organize authorization logic around a particular model or resource. For example, if your application has a Post model, you would typically have a PostPolicy to handle all authorization actions related to posts. Think of a Policy as a central hub where all rules regarding a specific entity live, keeping your logic organized and encapsulated.

4. Why Laravel Policies Are Important

The primary benefit of using Policies is the separation of concerns. By moving authorization logic out of controllers, your controllers remain thin and focused on handling requests. Additionally, Policies provide a centralized location for permission logic, making it easier to audit security rules and ensure consistency across the entire application.

5. Policies vs Gates in Laravel

Laravel provides two primary ways to handle authorization: Gates and Policies. Gates are typically used for actions that are not related to a specific model or resource, such as accessing an admin dashboard. Policies, on the other hand, are specifically designed for actions involving a specific model instance. While Gates are closure-based and often defined in a service provider, Policies are classes that Laravel can automatically resolve based on the model they govern.

6. When You Should Use Laravel Policies

You should use Policies whenever you are performing actions on a resource that has a corresponding Eloquent model. Common scenarios include managing blog posts, viewing orders, updating user profiles, or deleting comments. If the action is "Can this user do X to this specific Y?", a Policy is almost always the right tool.

7. Creating a Policy Class

Creating a policy is straightforward using the Artisan CLI. You can generate a policy and even associate it with a specific model to pre-populate common CRUD methods.

php artisan make:policy PostPolicy --model=Post

This command creates a new file in the app/Policies directory.

8. Registering Policies in Laravel

In modern Laravel versions, policies are often automatically discovered if they follow the standard naming convention (Model name + Policy). However, you can manually register them in the AuthServiceProvider if you have a custom structure.

protected $policies = [ 
    App\Models\Post::class => App\Policies\PostPolicy::class,
];

9. Understanding the Structure of a Policy Class

A policy class consists of several methods. Each method corresponds to an action (like 'update' or 'delete'). These methods always receive the currently authenticated User as the first argument, and the model instance being checked as the second argument.

public function update(User $user, Post $post)
{
    return $user->id === $post->user_id;
}

10. Default Policy Methods Explained

When you generate a policy with the --model flag, Laravel includes several standard methods: viewAny (listing records), view (single record), create (new record), update, delete, restore, and forceDelete. Each method maps perfectly to standard RESTful controller actions.

11. Writing Authorization Logic Inside Policies

Inside these methods, you return a boolean. You can perform complex checks, such as verifying roles, checking subscription status, or ensuring ownership. Since these are standard PHP classes, you can also inject services into the constructor if you need external data to make a decision.

12. Adding Custom Policy Methods

Policies aren't limited to CRUD. You can add any method you need. For instance, if you have a workflow for publishing content, you can add a publish method to your PostPolicy and check it just like any other action.

13. Using Policies in Controllers

In your controller, you can use the authorize method. If the policy returns false, Laravel will automatically throw a 403 Forbidden exception.

public function update(Request $request, Post $post)
{
    $this->authorize('update', $post);
    // The logic continues only if authorized
}

14. Using Policies in Blade Templates

One of the best features is the Blade integration. You can easily hide UI elements like "Edit" buttons if the user doesn't have permission.

@can('update', $post)
    <a href="/post/{{ $post->id }}/edit">Edit Post</a>
@endcan

15. Protecting Routes Using Policies

You can also enforce authorization at the route level using the can middleware. This is useful for preventing the execution of any controller logic if the user fails the check.

Route::put('/post/{post}', [PostController::class, 'update'])->middleware('can:update,post');

16. Handling Authorization Failures

When an authorization check fails, Laravel throws an Illuminate\Auth\Access\AuthorizationException. By default, this is converted into a 403 HTTP response. You can customize the error message inside the policy by returning a Response object instead of a boolean.

17. Best Practices for Using Laravel Policies

  • Keep policies simple: Only handle authorization, not business logic.
  • Use the before method for super-admins who should bypass all checks.
  • Don't repeat yourself: If multiple actions share logic, create a private helper method within the policy.

18. Real World Example: Post Management Policy

Let's look at a scenario where a user can update their post, but only an admin can delete any post.

public function update(User $user, Post $post)
{
    return $user->id === $post->user_id;
}

public function delete(User $user, Post $post)
{
    return $user->role === 'admin';
}

19. Testing Laravel Policies

Testing policies is vital. You can test them in isolation by instantiating the policy class and calling its methods with different user and model scenarios to assert true or false.

public function test_user_cannot_update_others_post()
{
    $user = User::factory()->create();
    $post = Post::factory()->create();
    $policy = new PostPolicy;
    $this->assertFalse($policy->update($user, $post));
}

Summary

Laravel Policies offer a powerful, elegant, and centralized way to manage your application's authorization logic. By moving these checks into dedicated classes, you ensure your code remains DRY, readable, and highly maintainable.

Conclusion

Mastering Laravel Policies is a significant step for any intermediate developer looking to build professional, secure applications. They provide the perfect balance between flexibility and structure, allowing you to scale your permission systems without cluttering your business logic. Start moving your controller checks into Policies today to see an immediate improvement in your codebase quality.

Mogail logo

Crafting digital experiences that inspire and engage. Let's build something amazing together.

me@mogail.net
Cairo, Egypt

Quick Links

Home
About
Blog

Stay Updated

Subscribe to our newsletter for the latest updates, news, and exclusive content delivered straight to your inbox.

We respect your privacy. Unsubscribe anytime.

10,000+ subscribers

© 2026 Mogail. All rights reserved.

Privacy Policy Terms of Service