Laravel policies for authorization

Carlos Mendez Jan 2026
3 tabs
<?php

namespace App\Policies;

use App\Models\Post;
use App\Models\User;
use Illuminate\Auth\Access\Response;

class PostPolicy
{
    public function before(User $user, string $ability): ?bool
    {
        if ($user->isAdmin()) {
            return true; // Admins can do anything
        }

        return null; // Continue to policy methods
    }

    public function viewAny(User $user): bool
    {
        return true;
    }

    public function view(?User $user, Post $post): bool
    {
        // Anyone can view published posts
        if ($post->isPublished()) {
            return true;
        }

        // Only author can view drafts
        return $user && $user->id === $post->user_id;
    }

    public function create(User $user): bool
    {
        return $user->hasVerifiedEmail();
    }

    public function update(User $user, Post $post): Response
    {
        return $user->id === $post->user_id
            ? Response::allow()
            : Response::deny('You do not own this post.');
    }

    public function delete(User $user, Post $post): bool
    {
        return $user->id === $post->user_id;
    }

    public function restore(User $user, Post $post): bool
    {
        return $user->id === $post->user_id;
    }
}
3 files · php Explain with highlit

Policies organize authorization logic around models, keeping permission checks clean and reusable. Each policy method corresponds to an action—view, create, update, delete. I call policies via the Gate facade or authorize() helper in controllers. The before() method grants admin users universal access. Policies integrate with form requests via the authorize() method. For actions not tied to models, I use gates. The @can Blade directive conditionally shows UI elements based on authorization. Policy methods receive the authenticated user and optionally the model instance. Resource policies provide CRUD methods automatically. This pattern centralizes permission logic, making it easy to audit and modify access control.