Hello Laravel developers! You’ve already learned about authentication in Laravel, which is where the app verifies your identity. Now, it’s time to learn about Laravel Authorization — a fancy word for
“What are you allowed to do?”
Let’s make it simple, like LEGO blocks!
What’s the Difference?
Suppose you have a school:
- Authentication is showing your student ID to enter the building.
- Authorization is checking if you’re allowed to go into the science lab or not.
But, in Laravel:
- Authentication = “Who are you?”
- Authorization = “Can you do this?”
Let’s Build a Game Room Example
You’re building a website in which users are supposed to be:
- Players
- Admin
Admin are able to delete games only. Players can only view or play.
Here the question comes: how do we make sure only admins can delete stuff?
Of course! with Laravel’s authorization tools.
Step 1: Make a Laravel Project
Start with a fresh Laravel project:
bash composer create-project laravel/laravel game-room cd game-room php artisan serve
Add authentication with Laravel UI (like previously):
bash
composer require laravel/ui php artisan ui bootstrap --auth npm install && npm run dev
Using the command, you can install the Laravel UI package. For more details you ca visit laravel ui package github page. Now you have login and register pages!
Step 2: Add a Role to Users
Open your users table migration (database/migrations/…create_users_table.php) and add this:
php $table->string('role')->default('player');
Then run:
bash php artisan migrate
Now, every user plays a vital role: either player or admin.
Step 3: Test Users with Roles
In app/Models/User.php, let’s add a helper process:
php public function isAdmin() { return $this->role === 'admin'; }
Now we can easily check if someone is an admin.
Step 4: Create a Gate (The Guard Dog)
Laravel has a tool called Gates. A Gate is like a guard dog, checking if a person can do something.
In app/Providers/AuthServiceProvider.php, add this in the boot() method:
php use Illuminate\Support\Facades\Gate; public function boot() { Gate::define('delete-game', function ($user) { return $user->isAdmin(); }); }
Meaning , only users who are admins can delete games.
Step 5: Use the Gate in Your Code
In a controller (like GameController), you can write:
php public function destroy(Game $game) { if (!Gate::allows('delete-game')) { abort(403, 'Nope! You can’t do that.'); } $game->delete(); return redirect()->route('games.index')->with('message', 'Game deleted!'); }
Now only admins can delete games.
Step 6: Hide Buttons in the View
Someone smart could still try to trick the server, even if you hide the deleted button. That’s why we include the Gate in the controller.
But it’s excellent to hide the delete button from regular users:
blade @can('delete-game') <form action="{{ route('games.destroy', $game->id) }}" method="POST"> @csrf @method('DELETE') <button>Delete Game</button> </form> @endcan
Laravel’s @can directive checks the gate. Isn’t it cool?
What About Policies?
For simple checks, Gates are great. But if you want to get fancy (like having many rules for a model), use Policies.
But, you want a rule like:
- Users can only edit their own games.
At first, make a policy:
bash php artisan make:policy GamePolicy --model=Game
Laravel puts it in app/Policies/GamePolicy.php.
Edit it like this:
php public function update(User $user, Game $game) { return $user->id === $game->user_id; }
Register it in AuthServiceProvider.php:
php protected $policies = [ \App\Models\Game::class => \App\Policies\GamePolicy::class, ];
Use it in your controller:
php $this->authorize('update', $game);
This line will automatically check the rule. If the user doesn’t own the game, Laravel will say “403 Forbidden”.
More Blogs To Read:
Laravel 12 Import and Export CSV and Excel File
Laravel Pagination for Beginners
Laravel Database Seeding for Beginners (Laravel 12.x)
Wrap Up—What Did You Learn?
Authorization checks what a user can do
Gates are simple rules
Policies are for complex permissions
Use @can in Blade to show/hide stuff
Use $this->authorize() in controllers for safety
Your Next Building Blocks
While now you are an authorization wizard, try this:
- Let users manage only their own profiles
- Allow moderators to edit but not delete
- Give different permissions to roles: admin, moderator, player