How does authorization with policies and gates work?

Question

Accepted Answer

Laravel's **authorization** system controls **what an authenticated user is allowed to do** (distinct from authentication — *who* they are). **Gates** are simple closures for permissions; **Policies** are classes that organize authorization logic around a specific model (e.g. who can update a Post). ## Gates — simple, closure-based permissions ```php // define a gate (e.g. in a service provider) Gate::define('edit-settings', fn($user) => $user->isAdmin()); // check it if (Gate::allows('edit-settings')) { ... } Gate::authorize('edit-settings'); // throws a 403 if denied ``` Gates are good for simple, standalone permissions not tied to a specific model. ## Policies — model-focused authorization (the common case) ```php id === $post->user_id; // only the author can update } public function delete(User $user, Post $post): bool { return $user->id === $post->user_id || $user->isAdmin(); } } ``` A **Policy** class groups the authorization rules for a model — each method answers "can this user perform this action on this model?" This keeps authorization logic organized per resource. ## Using policies ```php // in a controller public function update(Request $request, Post $post) { $this->authorize('update', $post); // checks PostPolicy::update — throws 403 if denied // ... proceed (we know the user is authorized) } // the user model if ($request->user()->can('update', $post)) { ... } ``` ```blade {{-- in Blade — show UI only if authorized --}} @can('update', $post) Edit @endcan ``` The `authorize()`/`can()` methods (and `@can` in Blade) check the policy automatically — throwing a 403 or hiding UI when the user isn't permitted. ## Why it matters Authorization is essential and **security-critical** — controlling what authenticated users are allowed to do (not just whether they're logged in) is fundamental to application security, and Laravel's policies and gates provide a clean, organized way to handle it. Understanding the distinction between **authentication** (who you are — login) and **authorization** (what you can do — permissions) is foundational, and authorization failures lead to serious vulnerabilities (users accessing or modifying data they shouldn't — broken access control is a top security risk). Laravel's system offers two complementary tools: **Gates** for simple, standalone permissions (closure-based checks), and **Policies** — the common, recommended approach — which organize a model's authorization rules into a dedicated class (e.g. who can update or delete a Post), keeping authorization logic structured and maintainable per resource. Understanding how to define policies/gates and enforce them (`$this->authorize()`, `$user->can()`, `@can` in Blade — checking permissions in controllers, throwing 403s, and conditionally showing UI) is important for building secure applications where users can only perform permitted actions. Since nearly every real application needs fine-grained access control (ensuring users can only modify their own resources, restricting admin actions, etc.), and since getting authorization wrong creates dangerous security holes, knowing Laravel's policies and gates — the proper, organized way to implement authorization — is important security-relevant senior knowledge that's essential for building applications that correctly enforce who can do what, a frequent and critical requirement in real systems.