Laravel Access Control allows you to fully secure your application in two key areas: Policies and Queries. Manage everything in one place!
PHP 8.2+ and Laravel 11+
See the documentation for detailed installation and usage instructions.
You first need to define the perimeters concerned by your applications.
Create the model control:
class PostControl extends Control
{
protected function perimeters(): array
{
return [
GlobalPerimeter::new()
->allowed(function (Model $user, string $method) {
return $user->can(sprintf('%s global models', $method));
})
->should(function (Model $user, Model $model) {
return true;
})
->query(function (Builder $query, Model $user) {
return $query;
}),
ClientPerimeter::new()
->allowed(function (Model $user, string $method) {
return $user->can(sprintf('%s client models', $method));
})
->should(function (Model $user, Model $model) {
return $model->client()->is($user->client);
})
->query(function (Builder $query, Model $user) {
return $query->where('client_id', $user->client->getKey());
}),
// ...Specify the control in your model:
class Post extends Model
{
use HasControl;
}Then set up your policy:
class PostPolicy extends ControlledPolicy
{
protected string $model = Post::class;
}and you are ready to go !
App\Models\Post::controlled()->get() // Apply the Control to the query
$user->can('view', App\Models\Post::first()) // Check if the user can view the post according to the policy