SlideShare a Scribd company logo

Laravel 5.2 Gates, AuthServiceProvider and Policies Explained

Alison Gianotto
Alison Gianotto

This document discusses Laravel's authorization features including gates, AuthServiceProvider, and policies. It provides an example scenario of a user community website to demonstrate how these features can be used to control authorization for different user and community roles and actions. Key points covered include defining gates in the AuthServiceProvider, creating policies to group related authorization logic, and checking abilities in controllers, views, and elsewhere using the Gate facade, user model, or policy helpers. Overall these features provide a clean, organized way to handle authorization in Laravel applications.

Internet
1 of 25
Download to read offline
OH MY! LARAVEL 5.2 GATES, AUTHSERVICEPROVIDERS AND POLICIES
LARAVEL 5.2 GATES, AUTHSERVICEPROVIDER AND POLICIES WHOAMI ▸ Alison Gianotto (aka “snipe”, aka @snipeyhead) ▸ One of the original members of SDPHP ;) ▸ Working with PHP for 15+ years ▸ CTO/Co-Founder of AnySha.re ▸ Founder of Grokability, Inc. ▸ Creator of Snipe-IT and other internet things
LARAVEL 5.2 GATES, AUTHSERVICEPROVIDER AND POLICIES PROBLEMS THE AUTHSERVICEPROVIDER SOLVES ▸ Much cleaner syntax in blades (@can and @cannot) ▸ One unified place to keep authorization rules ▸ Assumes a user instance. If no user available, it fails to false ▸ Can handle basic authorization (“does the user own this thing?”) or much more sophisticated rules based off your model methods.
LARAVEL 5.2 GATES, AUTHSERVICEPROVIDER AND POLICIES APP/PROVIDERS/AUTHSERVICEPROVIDER.PHP public function boot(GateContract $gate) { $this->registerPolicies($gate); // -------------------------------- // BEFORE ANYTHING ELSE // -------------------------------- $gate->before(function ($user, $ability) { if ($user->superadmin=='1') { return true; } });
LARAVEL 5.2 GATES, AUTHSERVICEPROVIDER AND POLICIES SCENARIO: USER COMMUNITY WEBSITE ▸ users table ▸ communities table with user_id for creator ▸ communities_users pivot table ▸ boolean is_admin ▸ entries table with created_by for creator
LARAVEL 5.2 GATES, AUTHSERVICEPROVIDER AND POLICIES SCENARIO: USER COMMUNITY WEBSITE: USERS ▸ Users CAN update their own posts ▸ Users CAN delete their own posts ▸ Users CANNOT update other users’ posts ▸ Uses CAN see other posts in a community ▸ … (etc) ▸ Users CAN message other users if they are not blocked ▸ Users CANNOT messages other users if they are blocked
LARAVEL 5.2 GATES, AUTHSERVICEPROVIDER AND POLICIES APP/PROVIDERS/AUTHSERVICEPROVIDER.PHP // Check if the user can update an entry $gate->define('update-entry', function ($user, $entry) { return $user->id === $entry->created_by; });
LARAVEL 5.2 GATES, AUTHSERVICEPROVIDER AND POLICIES APP/USER.PHP (USER MODEL) /** * Checks if a user is a member of a community * * @param Community $community * @return boolean */ public function isMemberOfCommunity($community) { return $this->communities()
 ->where('community_id', '=', $community->id) ->count() > 0; }
LARAVEL 5.2 GATES, AUTHSERVICEPROVIDER AND POLICIES APP/HTTP/ENTRIESCONTROLLER.PHP (VIA GATE FACADE) public function getEdit(Request $request, $id) { if ($entry = Entry::find($id)) { if (Gate::denies('update-entry', $entry)) { // You can return a 403 or whatever you want here abort(403); } return view('entries.edit'); } return redirect()->back()->with('error', 'Invalid entry.'); }
LARAVEL 5.2 GATES, AUTHSERVICEPROVIDER AND POLICIES APP/HTTP/ENTRIESCONTROLLER.PHP (VIA USER MODEL) public function getEdit(Request $request, $id) { if ($entry = Entry::find($id)) { if ($request->user()->cannot('update-entry', $entry)) { // You could return a 403 response here, etc. abort(403); } return view('entries.edit'); } return redirect()->back()->with('error', 'Invalid entry.'); }
LARAVEL 5.2 GATES, AUTHSERVICEPROVIDER AND POLICIES RESOURCES/VIEWS/ENTRIES/VIEW.BLADE.PHP @can('update-entry', $entry) <a href="{{ route('entry.edit.form', $entry->id) }}">Edit</a> @endcan
LARAVEL 5.2 GATES, AUTHSERVICEPROVIDER AND POLICIES APP/HTTP/ENTRIESCONTROLLER.PHP (VIA FORM REQUEST) /** * Determine if the user is authorized to make this request. * * @return bool */ public function authorize() { $entryId = $this->route('entry'); return Gate::allows('update', Entry::findOrFail($entryId)); }
LARAVEL 5.2 GATES, AUTHSERVICEPROVIDER AND POLICIES SCENARIO: USER COMMUNITY WEBSITE: COMMUNITY ADMINS ▸ Community admins CAN edit their own community settings ▸ … (etc) ▸ Community admins CAN update user posts ▸ Community admins CAN add/remove users from community
LARAVEL 5.2 GATES, AUTHSERVICEPROVIDER AND POLICIES APP/USER.PHP (USER MODEL) /** * Returns whether or not the user is an admin of a community * * @param object $community * @return boolean */ public function isAdminOfCommunity($community) { return $this->communities() ->where('community_id', '=', $community->id) ->where('is_admin', '=', '1') ->count() > 0; }
LARAVEL 5.2 GATES, AUTHSERVICEPROVIDER AND POLICIES APP/PROVIDERS/AUTHSERVICEPROVIDER.PHP // Check if the user can join a community // (they are not already a member) $gate->define('join-community', function ($user, $community) { if (!$user->isMemberOfCommunity($community)) { return true; } }); // Check if the user can update the community settings // (they are an admin) $gate->define('update-community', function ($user, $community) { if ($user->isAdminOfCommunity($community) ) { return true; } });
LARAVEL 5.2 GATES, AUTHSERVICEPROVIDER AND POLICIES THIS COULD GET OUT OF HAND QUICKLY. ENTER POLICIES.
LARAVEL 5.2 GATES, AUTHSERVICEPROVIDER AND POLICIES CREATING A POLICY > php artisan make:policy EntryPolicy Policy created successfully. > php artisan make:policy CommunityPolicy Policy created successfully.
LARAVEL 5.2 GATES, AUTHSERVICEPROVIDER AND POLICIES APP/POLICIES/ENTRYPOLICY.PHP <?php namespace AppPolicies; use AppUser; use AppEntry; use IlluminateAuthAccessHandlesAuthorization; class EntryPolicy { use HandlesAuthorization; public function update(User $user, Entry $entry) { return $user->id === $entry->created_by; } public function delete(User $user, Entry $entry) { // etc } }
LARAVEL 5.2 GATES, AUTHSERVICEPROVIDER AND POLICIES APP/POLICIES/COMMUNITYPOLICY.PHP <?php namespace AppPolicies; use AppUser; use AppCommunity; use IlluminateAuthAccessHandlesAuthorization; class CommunityPolicy { use HandlesAuthorization; public function update(User $user, Community $community) { return $user->id === $community->created_by; } public function delete(User $user, Community $community) { // etc } }
LARAVEL 5.2 GATES, AUTHSERVICEPROVIDER AND POLICIES APP/PROVIDERS/AUTHSERVICEPROVIDER.PHP <?php namespace AppProviders; use AppPoliciesEntryPolicy; use AppPoliciesCommunityPolicy; use IlluminateContractsAuthAccessGate as GateContract; use IlluminateFoundationSupportProvidersAuthServiceProvider as ServiceProvider; class AuthServiceProvider extends ServiceProvider { protected $policies = [ Entry::class => EntryPolicy::class, Community::class => CommunityPolicy::class, ]; /** * Register any application authentication / authorization services. * * @param IlluminateContractsAuthAccessGate $gate * @return void */ public function boot(GateContract $gate) { $this->registerPolicies($gate); }
LARAVEL 5.2 GATES, AUTHSERVICEPROVIDER AND POLICIES APP/PROVIDERS/AUTHSERVICEPROVIDER.PHP <?php namespace AppProviders; use AppPoliciesEntryPolicy; use AppPoliciesCommunityPolicy; use IlluminateContractsAuthAccessGate as GateContract; use IlluminateFoundationSupportProvidersAuthServiceProvider as ServiceProvider; class AuthServiceProvider extends ServiceProvider { protected $policies = [ Entry::class => EntryPolicy::class, Community::class => CommunityPolicy::class, ]; /** * Register any application authentication / authorization services. * * @param IlluminateContractsAuthAccessGate $gate * @return void */ public function boot(GateContract $gate) { $this->registerPolicies($gate); }
LARAVEL 5.2 GATES, AUTHSERVICEPROVIDER AND POLICIES CHECKING POLICIES ▸ Via Gate facade
 
 
 
 ▸ Via User Model
 
 if (Gate::denies('update', $entry)) { // } if ($user->can('update', $entry)) { // }
LARAVEL 5.2 GATES, AUTHSERVICEPROVIDER AND POLICIES CHECKING POLICIES ▸ Via Blade shortcut:
 
 
 ▸ Via Policy Helper:
 @can('update', $entry) @endcan if (policy($entry)->update($user, $entry)) { // }
LARAVEL 5.2 GATES, AUTHSERVICEPROVIDER AND POLICIES CONCLUSION: THE AUTHSERVICEPROVIDER + POLICIES LETS YOU ▸ Use existing model methods to determine authorization ▸ Group related authorization rules together for maintainability ▸ Use nifty shortcuts in your blades

THANK YOU! @SNIPEYHEAD

Recommended

Who killed object oriented design?
Who killed object oriented design?Who killed object oriented design?
Who killed object oriented design?Amir Barylko
 
Hacking hhvm
Hacking hhvmHacking hhvm
Hacking hhvmwajrcs
 
Advanced Interfaces and Repositories in Laravel
Advanced Interfaces and Repositories in LaravelAdvanced Interfaces and Repositories in Laravel
Advanced Interfaces and Repositories in LaravelJonathan Behr
 
Rich domain model with symfony 2.5 and doctrine 2.5
Rich domain model with symfony 2.5 and doctrine 2.5Rich domain model with symfony 2.5 and doctrine 2.5
Rich domain model with symfony 2.5 and doctrine 2.5Leonardo Proietti
 
Dependency Injection Smells
Dependency Injection SmellsDependency Injection Smells
Dependency Injection SmellsMatthias Noback
 
Getting Started-with-Laravel
Getting Started-with-LaravelGetting Started-with-Laravel
Getting Started-with-LaravelMindfire Solutions
 
Алексей Плеханов: Новинки Laravel 5
Алексей Плеханов: Новинки Laravel 5Алексей Плеханов: Новинки Laravel 5
Алексей Плеханов: Новинки Laravel 5Oleg Poludnenko
 
The quest for global design principles (SymfonyLive Berlin 2015)
The quest for global design principles (SymfonyLive Berlin 2015)The quest for global design principles (SymfonyLive Berlin 2015)
The quest for global design principles (SymfonyLive Berlin 2015)Matthias Noback
 

Recommended

Who killed object oriented design?
Who killed object oriented design?Who killed object oriented design?
Who killed object oriented design?Amir Barylko
 
Hacking hhvm
Hacking hhvmHacking hhvm
Hacking hhvmwajrcs
 
Advanced Interfaces and Repositories in Laravel
Advanced Interfaces and Repositories in LaravelAdvanced Interfaces and Repositories in Laravel
Advanced Interfaces and Repositories in LaravelJonathan Behr
 
Rich domain model with symfony 2.5 and doctrine 2.5
Rich domain model with symfony 2.5 and doctrine 2.5Rich domain model with symfony 2.5 and doctrine 2.5
Rich domain model with symfony 2.5 and doctrine 2.5Leonardo Proietti
 
Dependency Injection Smells
Dependency Injection SmellsDependency Injection Smells
Dependency Injection SmellsMatthias Noback
 
Getting Started-with-Laravel
Getting Started-with-LaravelGetting Started-with-Laravel
Getting Started-with-LaravelMindfire Solutions
 
Алексей Плеханов: Новинки Laravel 5
Алексей Плеханов: Новинки Laravel 5Алексей Плеханов: Новинки Laravel 5
Алексей Плеханов: Новинки Laravel 5Oleg Poludnenko
 
The quest for global design principles (SymfonyLive Berlin 2015)
The quest for global design principles (SymfonyLive Berlin 2015)The quest for global design principles (SymfonyLive Berlin 2015)
The quest for global design principles (SymfonyLive Berlin 2015)Matthias Noback
 
The IoC Hydra
The IoC HydraThe IoC Hydra
The IoC HydraKacper Gunia
 
Bootstrat REST APIs with Laravel 5
Bootstrat REST APIs with Laravel 5Bootstrat REST APIs with Laravel 5
Bootstrat REST APIs with Laravel 5Elena Kolevska
 
Osiąganie mądrej architektury z Symfony2
Osiąganie mądrej architektury z Symfony2 Osiąganie mądrej architektury z Symfony2
Osiąganie mądrej architektury z Symfony2 3camp
 
Guard Authentication: Powerful, Beautiful Security
Guard Authentication: Powerful, Beautiful SecurityGuard Authentication: Powerful, Beautiful Security
Guard Authentication: Powerful, Beautiful SecurityRyan Weaver
 
The IoC Hydra - Dutch PHP Conference 2016
The IoC Hydra - Dutch PHP Conference 2016The IoC Hydra - Dutch PHP Conference 2016
The IoC Hydra - Dutch PHP Conference 2016Kacper Gunia
 
Symfony & Javascript. Combining the best of two worlds
Symfony & Javascript. Combining the best of two worldsSymfony & Javascript. Combining the best of two worlds
Symfony & Javascript. Combining the best of two worldsIgnacio Martín
 
Forget about index.php and build you applications around HTTP!
Forget about index.php and build you applications around HTTP!Forget about index.php and build you applications around HTTP!
Forget about index.php and build you applications around HTTP!Kacper Gunia
 
Symfony2 revealed
Symfony2 revealedSymfony2 revealed
Symfony2 revealedFabien Potencier
 
Love and Loss: A Symfony Security Play
Love and Loss: A Symfony Security PlayLove and Loss: A Symfony Security Play
Love and Loss: A Symfony Security PlayKris Wallsmith
 
Rich Model And Layered Architecture in SF2 Application
Rich Model And Layered Architecture in SF2 ApplicationRich Model And Layered Architecture in SF2 Application
Rich Model And Layered Architecture in SF2 ApplicationKirill Chebunin
 
Creating REST Applications with the Slim Micro-Framework by Vikram Vaswani
Creating REST Applications with the Slim Micro-Framework by Vikram VaswaniCreating REST Applications with the Slim Micro-Framework by Vikram Vaswani
Creating REST Applications with the Slim Micro-Framework by Vikram Vaswanivvaswani
 
ZendCon2010 The Doctrine Project
ZendCon2010 The Doctrine ProjectZendCon2010 The Doctrine Project
ZendCon2010 The Doctrine ProjectJonathan Wage
 
Dependency Injection
Dependency InjectionDependency Injection
Dependency InjectionFabien Potencier
 
New Symfony Tips & Tricks (SymfonyCon Paris 2015)
New Symfony Tips & Tricks (SymfonyCon Paris 2015)New Symfony Tips & Tricks (SymfonyCon Paris 2015)
New Symfony Tips & Tricks (SymfonyCon Paris 2015)Javier Eguiluz
 
Frontin like-a-backer
Frontin like-a-backerFrontin like-a-backer
Frontin like-a-backerFrank de Jonge
 
Symfony Guard Authentication: Fun with API Token, Social Login, JWT and more
Symfony Guard Authentication: Fun with API Token, Social Login, JWT and moreSymfony Guard Authentication: Fun with API Token, Social Login, JWT and more
Symfony Guard Authentication: Fun with API Token, Social Login, JWT and moreRyan Weaver
 
How Kris Writes Symfony Apps
How Kris Writes Symfony AppsHow Kris Writes Symfony Apps
How Kris Writes Symfony AppsKris Wallsmith
 
Solid Software Design Principles
Solid Software Design PrinciplesSolid Software Design Principles
Solid Software Design PrinciplesJon Kruger
 
Building a Pyramid: Symfony Testing Strategies
Building a Pyramid: Symfony Testing StrategiesBuilding a Pyramid: Symfony Testing Strategies
Building a Pyramid: Symfony Testing StrategiesCiaranMcNulty
 
Scaling Symfony2 apps with RabbitMQ - Symfony UK Meetup
Scaling Symfony2 apps with RabbitMQ - Symfony UK MeetupScaling Symfony2 apps with RabbitMQ - Symfony UK Meetup
Scaling Symfony2 apps with RabbitMQ - Symfony UK MeetupKacper Gunia
 
Using and reusing CakePHP plugins
Using and reusing CakePHP pluginsUsing and reusing CakePHP plugins
Using and reusing CakePHP pluginsPierre MARTIN
 
Speed up web APIs with Expressive and Swoole (PHP Day 2018)
Speed up web APIs with Expressive and Swoole (PHP Day 2018) Speed up web APIs with Expressive and Swoole (PHP Day 2018)
Speed up web APIs with Expressive and Swoole (PHP Day 2018) Zend by Rogue Wave Software
 

More Related Content

What's hot

Bootstrat REST APIs with Laravel 5
Bootstrat REST APIs with Laravel 5Bootstrat REST APIs with Laravel 5
Bootstrat REST APIs with Laravel 5Elena Kolevska
 
Osiąganie mądrej architektury z Symfony2
Osiąganie mądrej architektury z Symfony2 Osiąganie mądrej architektury z Symfony2
Osiąganie mądrej architektury z Symfony2 3camp
 
Guard Authentication: Powerful, Beautiful Security
Guard Authentication: Powerful, Beautiful SecurityGuard Authentication: Powerful, Beautiful Security
Guard Authentication: Powerful, Beautiful SecurityRyan Weaver
 
The IoC Hydra - Dutch PHP Conference 2016
The IoC Hydra - Dutch PHP Conference 2016The IoC Hydra - Dutch PHP Conference 2016
The IoC Hydra - Dutch PHP Conference 2016Kacper Gunia
 
Symfony & Javascript. Combining the best of two worlds
Symfony & Javascript. Combining the best of two worldsSymfony & Javascript. Combining the best of two worlds
Symfony & Javascript. Combining the best of two worldsIgnacio Martín
 
Forget about index.php and build you applications around HTTP!
Forget about index.php and build you applications around HTTP!Forget about index.php and build you applications around HTTP!
Forget about index.php and build you applications around HTTP!Kacper Gunia
 
Love and Loss: A Symfony Security Play
Love and Loss: A Symfony Security PlayLove and Loss: A Symfony Security Play
Love and Loss: A Symfony Security PlayKris Wallsmith
 
Rich Model And Layered Architecture in SF2 Application
Rich Model And Layered Architecture in SF2 ApplicationRich Model And Layered Architecture in SF2 Application
Rich Model And Layered Architecture in SF2 ApplicationKirill Chebunin
 
Creating REST Applications with the Slim Micro-Framework by Vikram Vaswani
Creating REST Applications with the Slim Micro-Framework by Vikram VaswaniCreating REST Applications with the Slim Micro-Framework by Vikram Vaswani
Creating REST Applications with the Slim Micro-Framework by Vikram Vaswanivvaswani
 
ZendCon2010 The Doctrine Project
ZendCon2010 The Doctrine ProjectZendCon2010 The Doctrine Project
ZendCon2010 The Doctrine ProjectJonathan Wage
 
New Symfony Tips & Tricks (SymfonyCon Paris 2015)
New Symfony Tips & Tricks (SymfonyCon Paris 2015)New Symfony Tips & Tricks (SymfonyCon Paris 2015)
New Symfony Tips & Tricks (SymfonyCon Paris 2015)Javier Eguiluz
 
Symfony Guard Authentication: Fun with API Token, Social Login, JWT and more
Symfony Guard Authentication: Fun with API Token, Social Login, JWT and moreSymfony Guard Authentication: Fun with API Token, Social Login, JWT and more
Symfony Guard Authentication: Fun with API Token, Social Login, JWT and moreRyan Weaver
 
How Kris Writes Symfony Apps
How Kris Writes Symfony AppsHow Kris Writes Symfony Apps
How Kris Writes Symfony AppsKris Wallsmith
 
Solid Software Design Principles
Solid Software Design PrinciplesSolid Software Design Principles
Solid Software Design PrinciplesJon Kruger
 
Building a Pyramid: Symfony Testing Strategies
Building a Pyramid: Symfony Testing StrategiesBuilding a Pyramid: Symfony Testing Strategies
Building a Pyramid: Symfony Testing StrategiesCiaranMcNulty
 
Scaling Symfony2 apps with RabbitMQ - Symfony UK Meetup
Scaling Symfony2 apps with RabbitMQ - Symfony UK MeetupScaling Symfony2 apps with RabbitMQ - Symfony UK Meetup
Scaling Symfony2 apps with RabbitMQ - Symfony UK MeetupKacper Gunia
 

What's hot (20)

The IoC Hydra
The IoC HydraThe IoC Hydra
The IoC Hydra
 
Bootstrat REST APIs with Laravel 5
Bootstrat REST APIs with Laravel 5Bootstrat REST APIs with Laravel 5
Bootstrat REST APIs with Laravel 5
 
Osiąganie mądrej architektury z Symfony2
Osiąganie mądrej architektury z Symfony2 Osiąganie mądrej architektury z Symfony2
Osiąganie mądrej architektury z Symfony2
 
Guard Authentication: Powerful, Beautiful Security
Guard Authentication: Powerful, Beautiful SecurityGuard Authentication: Powerful, Beautiful Security
Guard Authentication: Powerful, Beautiful Security
 
The IoC Hydra - Dutch PHP Conference 2016
The IoC Hydra - Dutch PHP Conference 2016The IoC Hydra - Dutch PHP Conference 2016
The IoC Hydra - Dutch PHP Conference 2016
 
Symfony & Javascript. Combining the best of two worlds
Symfony & Javascript. Combining the best of two worldsSymfony & Javascript. Combining the best of two worlds
Symfony & Javascript. Combining the best of two worlds
 
Forget about index.php and build you applications around HTTP!
Forget about index.php and build you applications around HTTP!Forget about index.php and build you applications around HTTP!
Forget about index.php and build you applications around HTTP!
 
Symfony2 revealed
Symfony2 revealedSymfony2 revealed
Symfony2 revealed
 
Love and Loss: A Symfony Security Play
Love and Loss: A Symfony Security PlayLove and Loss: A Symfony Security Play
Love and Loss: A Symfony Security Play
 
Rich Model And Layered Architecture in SF2 Application
Rich Model And Layered Architecture in SF2 ApplicationRich Model And Layered Architecture in SF2 Application
Rich Model And Layered Architecture in SF2 Application
 
Creating REST Applications with the Slim Micro-Framework by Vikram Vaswani
Creating REST Applications with the Slim Micro-Framework by Vikram VaswaniCreating REST Applications with the Slim Micro-Framework by Vikram Vaswani
Creating REST Applications with the Slim Micro-Framework by Vikram Vaswani
 
ZendCon2010 The Doctrine Project
ZendCon2010 The Doctrine ProjectZendCon2010 The Doctrine Project
ZendCon2010 The Doctrine Project
 
Dependency Injection
Dependency InjectionDependency Injection
Dependency Injection
 
New Symfony Tips & Tricks (SymfonyCon Paris 2015)
New Symfony Tips & Tricks (SymfonyCon Paris 2015)New Symfony Tips & Tricks (SymfonyCon Paris 2015)
New Symfony Tips & Tricks (SymfonyCon Paris 2015)
 
Frontin like-a-backer
Frontin like-a-backerFrontin like-a-backer
Frontin like-a-backer
 
Symfony Guard Authentication: Fun with API Token, Social Login, JWT and more
Symfony Guard Authentication: Fun with API Token, Social Login, JWT and moreSymfony Guard Authentication: Fun with API Token, Social Login, JWT and more
Symfony Guard Authentication: Fun with API Token, Social Login, JWT and more
 
How Kris Writes Symfony Apps
How Kris Writes Symfony AppsHow Kris Writes Symfony Apps
How Kris Writes Symfony Apps
 
Solid Software Design Principles
Solid Software Design PrinciplesSolid Software Design Principles
Solid Software Design Principles
 
Building a Pyramid: Symfony Testing Strategies
Building a Pyramid: Symfony Testing StrategiesBuilding a Pyramid: Symfony Testing Strategies
Building a Pyramid: Symfony Testing Strategies
 
Scaling Symfony2 apps with RabbitMQ - Symfony UK Meetup
Scaling Symfony2 apps with RabbitMQ - Symfony UK MeetupScaling Symfony2 apps with RabbitMQ - Symfony UK Meetup
Scaling Symfony2 apps with RabbitMQ - Symfony UK Meetup
 

Similar to Laravel 5.2 Gates, AuthServiceProvider and Policies Explained

Using and reusing CakePHP plugins
Using and reusing CakePHP pluginsUsing and reusing CakePHP plugins
Using and reusing CakePHP pluginsPierre MARTIN
 
Speed up web APIs with Expressive and Swoole (PHP Day 2018)
Speed up web APIs with Expressive and Swoole (PHP Day 2018) Speed up web APIs with Expressive and Swoole (PHP Day 2018)
Speed up web APIs with Expressive and Swoole (PHP Day 2018) Zend by Rogue Wave Software
 
Zend/Expressive 3 – The Next Generation
Zend/Expressive 3 – The Next GenerationZend/Expressive 3 – The Next Generation
Zend/Expressive 3 – The Next GenerationRalf Eggert
 
TYPO3 Flow 2.0 (T3CON13 San Francisco)
TYPO3 Flow 2.0 (T3CON13 San Francisco)TYPO3 Flow 2.0 (T3CON13 San Francisco)
TYPO3 Flow 2.0 (T3CON13 San Francisco)Robert Lemke
 
OWASP Top 10 - DrupalCon Amsterdam 2019
OWASP Top 10 - DrupalCon Amsterdam 2019OWASP Top 10 - DrupalCon Amsterdam 2019
OWASP Top 10 - DrupalCon Amsterdam 2019Ayesh Karunaratne
 
Building Testable PHP Applications
Building Testable PHP ApplicationsBuilding Testable PHP Applications
Building Testable PHP Applicationschartjes
 
Javaz. Functional design in Java 8.
Javaz. Functional design in Java 8.Javaz. Functional design in Java 8.
Javaz. Functional design in Java 8.Vadim Dubs
 
Workshop quality assurance for php projects tek12
Workshop quality assurance for php projects tek12Workshop quality assurance for php projects tek12
Workshop quality assurance for php projects tek12Michelangelo van Dam
 
Testing TYPO3 Applications
Testing TYPO3 ApplicationsTesting TYPO3 Applications
Testing TYPO3 ApplicationsAndré Wuttig
 
Using Geeklog as a Web Application Framework
Using Geeklog as a Web Application FrameworkUsing Geeklog as a Web Application Framework
Using Geeklog as a Web Application FrameworkDirk Haun
 
The Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/PressThe Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/PressJeroen van Dijk
 
fb-researchの舞台裏No.2~技術編~(HatchUp主催 渋谷Facebookアプリ勉強会)
fb-researchの舞台裏No.2~技術編~(HatchUp主催 渋谷Facebookアプリ勉強会)fb-researchの舞台裏No.2~技術編~(HatchUp主催 渋谷Facebookアプリ勉強会)
fb-researchの舞台裏No.2~技術編~(HatchUp主催 渋谷Facebookアプリ勉強会)modeelf
 
The hidden gems of Spring Security
The hidden gems of Spring SecurityThe hidden gems of Spring Security
The hidden gems of Spring SecurityMassimiliano Dessì
 
Drupal 7 module development
Drupal 7 module developmentDrupal 7 module development
Drupal 7 module developmentAdam Kalsey
 
How To Structure Go Applications - Paul Bellamy - Codemotion Milan 2016
How To Structure Go Applications - Paul Bellamy - Codemotion Milan 2016How To Structure Go Applications - Paul Bellamy - Codemotion Milan 2016
How To Structure Go Applications - Paul Bellamy - Codemotion Milan 2016Codemotion
 

Similar to Laravel 5.2 Gates, AuthServiceProvider and Policies Explained (20)

Using and reusing CakePHP plugins
Using and reusing CakePHP pluginsUsing and reusing CakePHP plugins
Using and reusing CakePHP plugins
 
Speed up web APIs with Expressive and Swoole (PHP Day 2018)
Speed up web APIs with Expressive and Swoole (PHP Day 2018) Speed up web APIs with Expressive and Swoole (PHP Day 2018)
Speed up web APIs with Expressive and Swoole (PHP Day 2018)
 
Zend/Expressive 3 – The Next Generation
Zend/Expressive 3 – The Next GenerationZend/Expressive 3 – The Next Generation
Zend/Expressive 3 – The Next Generation
 
TYPO3 Flow 2.0 (T3CON13 San Francisco)
TYPO3 Flow 2.0 (T3CON13 San Francisco)TYPO3 Flow 2.0 (T3CON13 San Francisco)
TYPO3 Flow 2.0 (T3CON13 San Francisco)
 
OWASP Top 10 - DrupalCon Amsterdam 2019
OWASP Top 10 - DrupalCon Amsterdam 2019OWASP Top 10 - DrupalCon Amsterdam 2019
OWASP Top 10 - DrupalCon Amsterdam 2019
 
SEA Open Hack - YAP
SEA Open Hack - YAPSEA Open Hack - YAP
SEA Open Hack - YAP
 
Building Testable PHP Applications
Building Testable PHP ApplicationsBuilding Testable PHP Applications
Building Testable PHP Applications
 
YAP / Open Mail Overview
YAP / Open Mail OverviewYAP / Open Mail Overview
YAP / Open Mail Overview
 
Dependency Injection
Dependency InjectionDependency Injection
Dependency Injection
 
Zendcon 09
Zendcon 09Zendcon 09
Zendcon 09
 
Javaz. Functional design in Java 8.
Javaz. Functional design in Java 8.Javaz. Functional design in Java 8.
Javaz. Functional design in Java 8.
 
Laravel the right way
Laravel the right wayLaravel the right way
Laravel the right way
 
Workshop quality assurance for php projects tek12
Workshop quality assurance for php projects tek12Workshop quality assurance for php projects tek12
Workshop quality assurance for php projects tek12
 
Testing TYPO3 Applications
Testing TYPO3 ApplicationsTesting TYPO3 Applications
Testing TYPO3 Applications
 
Using Geeklog as a Web Application Framework
Using Geeklog as a Web Application FrameworkUsing Geeklog as a Web Application Framework
Using Geeklog as a Web Application Framework
 
The Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/PressThe Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/Press
 
fb-researchの舞台裏No.2~技術編~(HatchUp主催 渋谷Facebookアプリ勉強会)
fb-researchの舞台裏No.2~技術編~(HatchUp主催 渋谷Facebookアプリ勉強会)fb-researchの舞台裏No.2~技術編~(HatchUp主催 渋谷Facebookアプリ勉強会)
fb-researchの舞台裏No.2~技術編~(HatchUp主催 渋谷Facebookアプリ勉強会)
 
The hidden gems of Spring Security
The hidden gems of Spring SecurityThe hidden gems of Spring Security
The hidden gems of Spring Security
 
Drupal 7 module development
Drupal 7 module developmentDrupal 7 module development
Drupal 7 module development
 
How To Structure Go Applications - Paul Bellamy - Codemotion Milan 2016
How To Structure Go Applications - Paul Bellamy - Codemotion Milan 2016How To Structure Go Applications - Paul Bellamy - Codemotion Milan 2016
How To Structure Go Applications - Paul Bellamy - Codemotion Milan 2016
 

More from Alison Gianotto

Security Bootcamp for Startups and Small Businesses
Security Bootcamp for Startups and Small Businesses Security Bootcamp for Startups and Small Businesses
Security Bootcamp for Startups and Small Businesses Alison Gianotto
 
LonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security KeynoteLonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security KeynoteAlison Gianotto
 
MacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk FundamentalsMacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk FundamentalsAlison Gianotto
 
Failing well: Managing Risk in High Performance Applications
Failing well: Managing Risk in High Performance ApplicationsFailing well: Managing Risk in High Performance Applications
Failing well: Managing Risk in High Performance ApplicationsAlison Gianotto
 
Facebook Timeline for Pages
Facebook Timeline for PagesFacebook Timeline for Pages
Facebook Timeline for PagesAlison Gianotto
 
Getting users to care about security
Getting users to care about securityGetting users to care about security
Getting users to care about securityAlison Gianotto
 
Twitter 101: 140 characters. Don't be a douche.
Twitter 101: 140 characters. Don't be a douche.Twitter 101: 140 characters. Don't be a douche.
Twitter 101: 140 characters. Don't be a douche.Alison Gianotto
 

More from Alison Gianotto (10)

Security Bootcamp for Startups and Small Businesses
Security Bootcamp for Startups and Small Businesses Security Bootcamp for Startups and Small Businesses
Security Bootcamp for Startups and Small Businesses
 
dotScale 2014
dotScale 2014dotScale 2014
dotScale 2014
 
LonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security KeynoteLonestarPHP 2014 Security Keynote
LonestarPHP 2014 Security Keynote
 
MacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk FundamentalsMacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk Fundamentals
 
Failing well: Managing Risk in High Performance Applications
Failing well: Managing Risk in High Performance ApplicationsFailing well: Managing Risk in High Performance Applications
Failing well: Managing Risk in High Performance Applications
 
DNS 101 for Non-Techs
DNS 101 for Non-TechsDNS 101 for Non-Techs
DNS 101 for Non-Techs
 
Security Primer
Security PrimerSecurity Primer
Security Primer
 
Facebook Timeline for Pages
Facebook Timeline for PagesFacebook Timeline for Pages
Facebook Timeline for Pages
 
Getting users to care about security
Getting users to care about securityGetting users to care about security
Getting users to care about security
 
Twitter 101: 140 characters. Don't be a douche.
Twitter 101: 140 characters. Don't be a douche.Twitter 101: 140 characters. Don't be a douche.
Twitter 101: 140 characters. Don't be a douche.
 

Recently uploaded

VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Roomdivyansh0kumar0
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...SofiyaSharma5
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)Damian Radcliffe
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxellan12
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Servicesexy call girls service in goa
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Delhi Call girls
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirtrahman018755
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Roomishabajaj13
 
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night StandHot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Standkumarajju5765
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls KolkataLow Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607dollysharma2066
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Roomgirls4nights
 

Recently uploaded (20)

VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
 
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
 
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICECall Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
 
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night StandHot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girls
 
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls KolkataLow Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
 

Laravel 5.2 Gates, AuthServiceProvider and Policies Explained

  • 1. OH MY! LARAVEL 5.2 GATES, AUTHSERVICEPROVIDERS AND POLICIES
  • 2. LARAVEL 5.2 GATES, AUTHSERVICEPROVIDER AND POLICIES WHOAMI ▸ Alison Gianotto (aka “snipe”, aka @snipeyhead) ▸ One of the original members of SDPHP ;) ▸ Working with PHP for 15+ years ▸ CTO/Co-Founder of AnySha.re ▸ Founder of Grokability, Inc. ▸ Creator of Snipe-IT and other internet things
  • 3. LARAVEL 5.2 GATES, AUTHSERVICEPROVIDER AND POLICIES PROBLEMS THE AUTHSERVICEPROVIDER SOLVES ▸ Much cleaner syntax in blades (@can and @cannot) ▸ One unified place to keep authorization rules ▸ Assumes a user instance. If no user available, it fails to false ▸ Can handle basic authorization (“does the user own this thing?”) or much more sophisticated rules based off your model methods.
  • 4. LARAVEL 5.2 GATES, AUTHSERVICEPROVIDER AND POLICIES APP/PROVIDERS/AUTHSERVICEPROVIDER.PHP public function boot(GateContract $gate) { $this->registerPolicies($gate); // -------------------------------- // BEFORE ANYTHING ELSE // -------------------------------- $gate->before(function ($user, $ability) { if ($user->superadmin=='1') { return true; } });
  • 5. LARAVEL 5.2 GATES, AUTHSERVICEPROVIDER AND POLICIES SCENARIO: USER COMMUNITY WEBSITE ▸ users table ▸ communities table with user_id for creator ▸ communities_users pivot table ▸ boolean is_admin ▸ entries table with created_by for creator
  • 6. LARAVEL 5.2 GATES, AUTHSERVICEPROVIDER AND POLICIES SCENARIO: USER COMMUNITY WEBSITE: USERS ▸ Users CAN update their own posts ▸ Users CAN delete their own posts ▸ Users CANNOT update other users’ posts ▸ Uses CAN see other posts in a community ▸ … (etc) ▸ Users CAN message other users if they are not blocked ▸ Users CANNOT messages other users if they are blocked
  • 7. LARAVEL 5.2 GATES, AUTHSERVICEPROVIDER AND POLICIES APP/PROVIDERS/AUTHSERVICEPROVIDER.PHP // Check if the user can update an entry $gate->define('update-entry', function ($user, $entry) { return $user->id === $entry->created_by; });
  • 8. LARAVEL 5.2 GATES, AUTHSERVICEPROVIDER AND POLICIES APP/USER.PHP (USER MODEL) /** * Checks if a user is a member of a community * * @param Community $community * @return boolean */ public function isMemberOfCommunity($community) { return $this->communities()
 ->where('community_id', '=', $community->id) ->count() > 0; }
  • 9. LARAVEL 5.2 GATES, AUTHSERVICEPROVIDER AND POLICIES APP/HTTP/ENTRIESCONTROLLER.PHP (VIA GATE FACADE) public function getEdit(Request $request, $id) { if ($entry = Entry::find($id)) { if (Gate::denies('update-entry', $entry)) { // You can return a 403 or whatever you want here abort(403); } return view('entries.edit'); } return redirect()->back()->with('error', 'Invalid entry.'); }
  • 10. LARAVEL 5.2 GATES, AUTHSERVICEPROVIDER AND POLICIES APP/HTTP/ENTRIESCONTROLLER.PHP (VIA USER MODEL) public function getEdit(Request $request, $id) { if ($entry = Entry::find($id)) { if ($request->user()->cannot('update-entry', $entry)) { // You could return a 403 response here, etc. abort(403); } return view('entries.edit'); } return redirect()->back()->with('error', 'Invalid entry.'); }
  • 11. LARAVEL 5.2 GATES, AUTHSERVICEPROVIDER AND POLICIES RESOURCES/VIEWS/ENTRIES/VIEW.BLADE.PHP @can('update-entry', $entry) <a href="{{ route('entry.edit.form', $entry->id) }}">Edit</a> @endcan
  • 12. LARAVEL 5.2 GATES, AUTHSERVICEPROVIDER AND POLICIES APP/HTTP/ENTRIESCONTROLLER.PHP (VIA FORM REQUEST) /** * Determine if the user is authorized to make this request. * * @return bool */ public function authorize() { $entryId = $this->route('entry'); return Gate::allows('update', Entry::findOrFail($entryId)); }
  • 13. LARAVEL 5.2 GATES, AUTHSERVICEPROVIDER AND POLICIES SCENARIO: USER COMMUNITY WEBSITE: COMMUNITY ADMINS ▸ Community admins CAN edit their own community settings ▸ … (etc) ▸ Community admins CAN update user posts ▸ Community admins CAN add/remove users from community
  • 14. LARAVEL 5.2 GATES, AUTHSERVICEPROVIDER AND POLICIES APP/USER.PHP (USER MODEL) /** * Returns whether or not the user is an admin of a community * * @param object $community * @return boolean */ public function isAdminOfCommunity($community) { return $this->communities() ->where('community_id', '=', $community->id) ->where('is_admin', '=', '1') ->count() > 0; }
  • 15. LARAVEL 5.2 GATES, AUTHSERVICEPROVIDER AND POLICIES APP/PROVIDERS/AUTHSERVICEPROVIDER.PHP // Check if the user can join a community // (they are not already a member) $gate->define('join-community', function ($user, $community) { if (!$user->isMemberOfCommunity($community)) { return true; } }); // Check if the user can update the community settings // (they are an admin) $gate->define('update-community', function ($user, $community) { if ($user->isAdminOfCommunity($community) ) { return true; } });
  • 16. LARAVEL 5.2 GATES, AUTHSERVICEPROVIDER AND POLICIES THIS COULD GET OUT OF HAND QUICKLY. ENTER POLICIES.
  • 17. LARAVEL 5.2 GATES, AUTHSERVICEPROVIDER AND POLICIES CREATING A POLICY > php artisan make:policy EntryPolicy Policy created successfully. > php artisan make:policy CommunityPolicy Policy created successfully.
  • 18. LARAVEL 5.2 GATES, AUTHSERVICEPROVIDER AND POLICIES APP/POLICIES/ENTRYPOLICY.PHP <?php namespace AppPolicies; use AppUser; use AppEntry; use IlluminateAuthAccessHandlesAuthorization; class EntryPolicy { use HandlesAuthorization; public function update(User $user, Entry $entry) { return $user->id === $entry->created_by; } public function delete(User $user, Entry $entry) { // etc } }
  • 19. LARAVEL 5.2 GATES, AUTHSERVICEPROVIDER AND POLICIES APP/POLICIES/COMMUNITYPOLICY.PHP <?php namespace AppPolicies; use AppUser; use AppCommunity; use IlluminateAuthAccessHandlesAuthorization; class CommunityPolicy { use HandlesAuthorization; public function update(User $user, Community $community) { return $user->id === $community->created_by; } public function delete(User $user, Community $community) { // etc } }
  • 20. LARAVEL 5.2 GATES, AUTHSERVICEPROVIDER AND POLICIES APP/PROVIDERS/AUTHSERVICEPROVIDER.PHP <?php namespace AppProviders; use AppPoliciesEntryPolicy; use AppPoliciesCommunityPolicy; use IlluminateContractsAuthAccessGate as GateContract; use IlluminateFoundationSupportProvidersAuthServiceProvider as ServiceProvider; class AuthServiceProvider extends ServiceProvider { protected $policies = [ Entry::class => EntryPolicy::class, Community::class => CommunityPolicy::class, ]; /** * Register any application authentication / authorization services. * * @param IlluminateContractsAuthAccessGate $gate * @return void */ public function boot(GateContract $gate) { $this->registerPolicies($gate); }
  • 21. LARAVEL 5.2 GATES, AUTHSERVICEPROVIDER AND POLICIES APP/PROVIDERS/AUTHSERVICEPROVIDER.PHP <?php namespace AppProviders; use AppPoliciesEntryPolicy; use AppPoliciesCommunityPolicy; use IlluminateContractsAuthAccessGate as GateContract; use IlluminateFoundationSupportProvidersAuthServiceProvider as ServiceProvider; class AuthServiceProvider extends ServiceProvider { protected $policies = [ Entry::class => EntryPolicy::class, Community::class => CommunityPolicy::class, ]; /** * Register any application authentication / authorization services. * * @param IlluminateContractsAuthAccessGate $gate * @return void */ public function boot(GateContract $gate) { $this->registerPolicies($gate); }
  • 22. LARAVEL 5.2 GATES, AUTHSERVICEPROVIDER AND POLICIES CHECKING POLICIES ▸ Via Gate facade
 
 
 
 ▸ Via User Model
 
 if (Gate::denies('update', $entry)) { // } if ($user->can('update', $entry)) { // }
  • 23. LARAVEL 5.2 GATES, AUTHSERVICEPROVIDER AND POLICIES CHECKING POLICIES ▸ Via Blade shortcut:
 
 
 ▸ Via Policy Helper:
 @can('update', $entry) @endcan if (policy($entry)->update($user, $entry)) { // }
  • 24. LARAVEL 5.2 GATES, AUTHSERVICEPROVIDER AND POLICIES CONCLUSION: THE AUTHSERVICEPROVIDER + POLICIES LETS YOU ▸ Use existing model methods to determine authorization ▸ Group related authorization rules together for maintainability ▸ Use nifty shortcuts in your blades