This content originally appeared on DEV Community and was authored by Mohammad Kareem
Mastering Authorization in Laravel: Gates vs. Policy Classes 
In a modern web application, controlling who can access or modify resources is crucial. For instance, in a blog application, you might want to ensure that only the owner of a post can edit or delete it. Laravel offers two elegant ways to handle authorization: Gates and Policy Classes. This guide will walk you through both methods, showing you how to protect your resources and ensure your application’s security.
Gates in Laravel
Gates provide a quick and straightforward way to handle authorization using closures. They are perfect for simple authorization checks and are defined in the AuthServiceProvider.
Setting Up a Gate
Let’s define a gate to ensure that only the post owner can update or delete a post:
-
Define the Gate: Open
AuthServiceProviderand add your gate definitions:
// app/Providers/AuthServiceProvider.php use Illuminate\Support\Facades\Gate; use App\Models\Post; public function boot() { $this->registerPolicies(); Gate::define('update-post', function ($user, Post $post) { return $user->id === $post->user_id; }); Gate::define('delete-post', function ($user, Post $post) { return $user->id === $post->user_id; }); } -
Applying the Gate: Use the gate in your controller methods to enforce the authorization logic:
// app/Http/Controllers/PostController.php use Illuminate\Http\Request; use Illuminate\Support\Facades\Gate; use App\Models\Post; public function update(Request $request, Post $post) { if (Gate::denies('update-post', $post)) { abort(403, 'You do not own this post. 🚫'); } // Proceed with updating the post } public function destroy(Post $post) { if (Gate::denies('delete-post', $post)) { abort(403, 'You do not own this post. 🚫'); } // Proceed with deleting the post }
Pros and Cons of Gates
Pros:
-
Simplicity: Quick to set up with minimal code.
-
Ideal for Simplicity: Perfect for single-resource applications or straightforward scenarios.
Cons:
-
Scalability: Can become cumbersome and difficult to manage as your application grows.
-
Maintenance: May become messy if not well-organized.
Best Use Case: Small applications or simple use cases where a quick authorization check is needed. 
Policy Classes in Laravel 
Policy Classes offer a more structured and scalable approach to handling authorization. They provide a clear way to manage complex authorization rules and keep your code organized. Policies are particularly useful when working with resource controllers that include the standard CRUD operations: index, create, edit, update, and destroy.
Creating and Using a Policy
-
Generate the Policy: Create a policy class using Artisan:
php artisan make:policy PostPolicy -
Define Policy Methods: Open the generated policy class and add methods to handle authorization for each action:
// app/Policies/PostPolicy.php namespace App\Policies; use App\Models\User; use App\Models\Post; class PostPolicy { /** * Determine if the user can view the list of posts. * * @param User $user * @return bool */ public function viewAny(User $user) { // Example logic to allow viewing posts for authenticated users return true; } /** * Determine if the user can create a post. * * @param User $user * @return bool */ public function create(User $user) { return true; } /** * Determine if the user can update the post. * * @param User $user * @param Post $post * @return bool */ public function update(User $user, Post $post) { return $user->id === $post->user_id; } /** * Determine if the user can delete the post. * * @param User $user * @param Post $post * @return bool */ public function delete(User $user, Post $post) { return $user->id === $post->user_id; } } -
Using the Policy: Apply the policy methods in your controller actions:
// app/Http/Controllers/PostController.php use Illuminate\Http\Request; use App\Models\Post; public function update(Request $request, Post $post) { $this->authorize('update', $post); // Proceed with updating the post } public function destroy(Post $post) { $this->authorize('delete', $post); // Proceed with deleting the post }
Pros and Cons of Policy Classes
Pros:
-
Organization: Provides a clean and organized way to handle complex authorization logic.
-
Maintainability: Easier to manage and maintain as the application grows.
-
Framework Support: Leverages Laravel’s built-in framework support for consistent authorization.
Cons:
-
Initial Setup: Slightly more setup compared to gates.
-
Complexity: May be overkill for very simple authorization scenarios.
Best Case Scenario: Ideal for applications with complex authorization requirements or when aiming for clean, maintainable code. 
Summary
Both Gates and Policy Classes in Laravel offer powerful ways to handle authorization. Gates are excellent for quick, simple checks, while Policy Classes provide a structured approach for managing complex scenarios, especially in resource controllers with methods like index, create, edit, update, and destroy. Choose the method that best fits your application’s needs and enjoy a secure, well-organized codebase!
This content originally appeared on DEV Community and was authored by Mohammad Kareem