Authorization in laravel (API) using Gate

Authorization in laravel (API) using Gate

When you are dealing with API, maybe you want to make some type of authorization kind of permit a specific user to change or add something, For example, on Facebook, only account owners can delete or update their posts. so now we'll talk about this in Laravel.

Laravel provides a class that we can use in our action functions to allow a specific user to add - update or make anything relative to him. but before using this class we must define it in "app/providers/AuthServiceProvider.php".

Now we must define it in the boot function:

<?php

namespace App\Providers;

// use Illuminate\Support\Facades\Gate;

use App\Models\Event;
use Illuminate\Foundation\Support\Providers\AuthServiceProvider as ServiceProvider;
use Illuminate\Support\Facades\Gate;

class AuthServiceProvider extends ServiceProvider
{
    /**
     * The model to policy mappings for the application.
     *
     * @var array<class-string, class-string>
     */
    protected $policies = [
        //
    ];

    /**
     * Register any authentication / authorization services.
     */
    public function boot(): void
    {
        Gate::define('any-name',function($user,Event $event){
            return $user->id === $event->user_id;
        });
    }
}

At first, We import Gate class using use Illuminate\Support\Facades\Gate, The Gate class has a "define" method that is used to define the gate (permission) It takes 2 arguments, the first is the Gate name and the second is a callback function that we must pass the $user variable and the model where we want to use this Gate. Laravel will know that $user is the currently logged-in user and if it is the same with the $event->user_id (get the id user for the event), it will move to the next step.

Now after defining the Gate, how to use it?

In any action you want , you can use this Gate class like this

/* But make sure the user needs to logged in !! so user can update any 
thing if it is not logged in before */

 public function update(Request $request, Event $event)
    {

        // if(Gate::denies('update-event',$event)){
        //   abort(403,'You are Not authorized to update this event');
        // }
        $this->authorize('update-event',$event);
        $event->update([
            ...$request->validate([
                'name' => 'sometimes|string|max:255',
                'description' => 'nullable|string',
                'start_time' => 'date|sometimes',
                'end_time' => 'date|sometimes|after:start_time'
            ]),
        ]);

        return new EventResource($this->loadRelationships($event));
    }

Now you can check if the logged-in user has permission to update something using the denies method provided by the gate class and abort the update action with your message.

denies method takes the defined Gate name before and the model itself. You can use the helper function that exists by default if you don't want to write a specific message, It will do the same and returns "This action is unauthorized." message.

   $this->authorize('update-event',$event);