Home Arrow Icon Knowledge base Arrow Icon Global Arrow Icon How do you create a custom policy in Laravel


How do you create a custom policy in Laravel


To create a custom policy in Laravel, you can follow these steps:

1. Generate the Policy Class:
Use the Laravel artisan command to generate a new policy class:


   php artisan make:policy PostPolicy --model=Post

This will create a new `PostPolicy` class in the `app/Policies` directory. The `--model=Post` option tells Laravel to generate the basic CRUD (create, read, update, delete) policy methods for the `Post` model.

2. Define the Policy Methods:
Open the generated `PostPolicy` class and define the authorization logic for each action you want to control. For example:

php
   class PostPolicy
   {
       public function view(User $user, Post $post)
       {
           // Return true if the user can view the post
           return true;
       }

       public function update(User $user, Post $post)
       {
           // Return true if the user can update the post
           return $user->id === $post->user_id;
       }

       public function delete(User $user, Post $post)
       {
           // Return true if the user can delete the post
           return $user->id === $post->user_id;
       }
   }

In this example, the `update` and `delete` methods check if the authenticated user's ID matches the post's user ID, granting update and delete permissions only to the post's author.

3. Register the Policy:
Next, you need to register the policy in the `AuthServiceProvider` class, which is located in the `app/Providers` directory. Add the policy mapping to the `$policies` array:

php
   class AuthServiceProvider extends ServiceProvider
   {
       protected $policies = [
           Post::class => PostPolicy::class,
       ];

       public function boot()
       {
           $this->registerPolicies();
       }
   }

This tells Laravel to use the `PostPolicy` class when authorizing actions on the `Post` model.

4. Use the Policy in Your Application:
Now, you can use the policy in your controllers to authorize user actions. For example, in a `PostController`:

php
   public function update(Request $request, Post $post)
   {
       $this->authorize('update', $post);

       // The user is authorized to update the post
       // Update the post and save it to the database
   }

The `authorize` method checks if the current user is authorized to perform the `'update'` action on the given `$post` instance, using the `PostPolicy` class.

That's the basic process for creating a custom policy in Laravel. You can repeat these steps for each model or resource you need to secure in your application.

Citations:
[1] https://code.tutsplus.com/gates-and-policies-in-laravel--cms-29780t
[2] https://laracasts.com/discuss/channels/code-review/how-to-create-policy-with-custom-number-of-parameters
[3] https://www.twilio.com/en-us/blog/what-are-laravel-policies-and-how-to-use-them-to-control-access
[4] https://wpwebinfotech.com/blog/laravel-policies-and-gates/
[5] https://laravel.com/docs/5.8/authorization