php 50 lines · 7 steps

How authorization policies gate updates in Laravel

A PostPolicy decides who may edit a post, and the controller defers to it before saving any changes.

Explained by highlit

Laravel Intermediate authorization policies access control separation of concerns

1<?php
2 
3namespace App\Policies;
4 
5use App\Models\Post;
6use App\Models\User;
7use Illuminate\Auth\Access\Response;
8 
9class PostPolicy
10{
11    public function update(User $user, Post $post): Response
12    {
13        if ($user->id === $post->user_id) {
14            return Response::allow();
15        }
16 
17        if ($user->isEditor() && $post->team_id === $user->team_id) {
18            return Response::allow();
19        }
20 
21        return $post->published
22            ? Response::deny('Published posts can only be edited by their author.')
23            : Response::deny('You do not own this post.');
24    }
25 
26    public function before(User $user, string $ability): ?bool
27    {
28        return $user->isAdministrator() ? true : null;
29    }
30}
31 
32namespace App\Http\Controllers;
33 
34use App\Http\Requests\UpdatePostRequest;
35use App\Models\Post;
36use Illuminate\Http\RedirectResponse;
37 
38class PostController extends Controller
39{
40    public function update(UpdatePostRequest $request, Post $post): RedirectResponse
41    {
42        $this->authorize('update', $post);
43 
44        $post->update($request->validated());
45 
46        return redirect()
47            ->route('posts.show', $post)
48            ->with('status', 'Post updated.');
49    }
50}

01 / 01

STEP 01

Walkthrough

Space play ←→ step click any line

Three takeaways

1Centralizing access rules in a policy keeps authorization logic out of your controllers.
2Returning Response::deny with a message gives users a clear reason instead of a bare 403.
3A before hook lets you grant blanket access to privileged roles without touching every method.

Related explainers

javascript

'use server'
 
import { revalidatePath } from 'next/cache'
import { redirect } from 'next/navigation'

How a Next.js Server Action updates a post

server-actions authorization validation

Intermediate 7 steps

php

<?php
 
namespace App\Support;

Locale-aware formatting with PHP's intl extension

internationalization encapsulation constructor-injection

Intermediate 7 steps

php

<?php
 
namespace App\Support;

Merging query params onto a URL in PHP

url-parsing query-strings immutability

Intermediate 8 steps

php

<?php
 
class ImageUploadService
{

Validating file uploads safely in PHP

file-upload input-validation security

Intermediate 8 steps

php

<?php
 
namespace App\View;

Building a safe HTML escaper in PHP

security xss escaping

Intermediate 6 steps

php

<?php
 
namespace App\Observers;

How Eloquent observers hook lifecycle events in Laravel

observers lifecycle-hooks queues

Intermediate 6 steps

Share this explainer

Here's the card — post it anywhere.

How authorization policies gate updates in Laravel — share card

Made with highlit — turn any snippet into a walkthrough like this in about a minute.

Explain your code