Laravel Policies 👮(2020)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

laravel policies to create a policy we need to run the following command PHP artisan make policy named the policy post policy and then what are we creating this post policy for which model we're creating the post security policy for our post model when we execute this command a new directory called policies will be created in our app directory that post policy class is going to import the post model and the user model then it is going to automatically scaffold several abilities that a user has in reference to a post each of these abilities view any view create update delete restore or force delete all returned boolean's is the user able to view any post true or false is the user able to view this specific post true or false is the user able to create a post true or false and that keeps going down update well as the user able to update the specific post to lead the specific post etc etc once we have our policy created we need to go to our off service provider the first thing we're going to do is we're going to remove our gates that we created in the previous tutorial of laravel 6 authorization next we're going to go up here to this protected policies array we have created a policy now we need to register our post policy to our auth service provider so we're gonna say app post the security model for app post is going to be app slash policies slash post policy just like that now we have successfully created and registered our post policy now let's go back to our post policy class and let's define some of the abilities a user is able to interact with or implement on a post view any well let's return true and then let's go to our resources views post index blade dot PHP we're gonna say at can view any then we're gonna pass in our post and then down here we're gonna say at and can now if you notice our post policy doesn't actually accept a post it accepts a user but it doesn't accept a post so why are we passing in a post I can't view any post well in our all service provider were saying ok the post model class that policy the security policy for a post model is post policy behind the scenes layer Val knows to inject the user and when we pass in the post we're saying hey get the security policy for the given class that this object is the model from so because a post is created from the post model class then it knows to go to the post policy and based on the current user say ok return true or false or maybe return user is super admin or something like that but we have to pass in the post so laravel knows to look in the post policy versus a different policy that we may create then of course if we were to go and reload our clarabelle page we can view any post if we went back to our post policy and we said false what's this going to do well it's going to remove all the post the user cannot view any posts so it doesn't show any posts let's set this to true for now and now let's say okay in our view ability within our post policy a state returned the user ID is the post user ID so only return true if the user owns this post or if the post belongs to the given user now let's go back to our index dot PHP and let's just say view let's reload our page now we only get the ten given post owned by Arnold oh gosh let's take this example a little bit further that's how we can determine who can view a post within a play template but what if we want to I don't know say hey the user can always view the post but the user is only able to delete the post if the user ID is equal to the post user ID meaning the user owns the post how does this work well first we need to actually define the delete ability and we're saying okay all right if the user onto the post they can delete it that makes sense next we need to go to our routes and we need to add a route to actually delete the given post so we'll say posts slash post and then we'll map that to the post controller at destroy callback next we need to go to the actual post controller and implement that delete ability or destroy ability and all we're gonna say is post delete and we should be good to go and let's just imagine let's do post delete and then we're going to redirect them back to the post page return a redirect we're gonna say back to the posts so they're gonna delete the given post and then they're going to redirect back to the posts finally we need to go to our actual view and add the ability from the user interface for the user to delete the post we're actually going to just remove this can view right now and we're gonna say okay let's say we have our post title and in our post title we want to add a button and all this button is going to do is going to say okay the class is going to be a button with button danger which makes it red we're going to say delete post but we actually need to make this a forum we need to say okay method equals post and we'll make that capital then we'll say the action is slash posts slash post ID then we need to close the forum out move that button to the bottom and we're gonna say type equals submit just like that and when the user clicks that they can submit the form that deletes the post but remember in our auth routes file we actually are mapping to the destroy call back on the controller and we already have a get method on this so we actually need to do is we need to say okay route delete and that is actually going to map to the post control or destroy call back then inside of our form we need to do add method Eagles delete and then of course pass our CSRF token to prevent cross-site forgery okay so once that is all set up let's just say okay float right to pull or plan to the right now if we reload our page we have a delete option on all of our posts and I'm going to do this real quick just because I like when things are even float left and we're just gonna put that in a div just like that and let's reload our page okay so now the user can delete any posts right that's not really what we want what we really want to do is hey if the user owns the post they can delete the given post so what we're gonna do is we're gonna do at can delete and then post then we're gonna say act and can't just like that let's reload the page okay so now the user can delete the ten posts that the given user owns but on all the posts that are owned by other people they can still see them but they can't delete them so let's try deleting it what happens okay looks like it work but let's count these just to make sure 1 2 3 4 5 6 7 8 9 originally there were 10 now there are only nine we successfully deleted the posts for the given user now let's say for whatever reason we do want to show this delete post button on every single post but we only want it to work on specific posts so in the view and the blade and the user interface you'll always see this delete post button but it only works properly it will actually only delete the post when the user owns the post so to get the set up let's do a couple things first let's go up here and let's simply say okay count posts that way we can see how many posts we actually have so currently because we delete a one we have 99 posts and I'm actually gonna put parentheses around this real quick because you know clean code alright so we have 99 post next we need to delete this this will show the delete button on every single post right but currently if we try to delete the post right now oh we could delete any post that's not what we want we only want the user to be able to delete the given post down so to only allow the user to delete the post that they own first when you have to make sure our policy is still the setup right we haven't changed it so our policy still works all we want to do is we want to use our policy in other places than the blade instead of using this at can directive we want to use it for example in our post controller so let's just do this first we can use it by accessing the authenticated user so let's use the global off helper and get the authenticated user now we're going to say if the auth user can delete the given post then allow them to delete the given post otherwise don't do anything and just redirect them right so let's try this out so we have 99 posts the top nine posts are owned by or nald oh gosh so if we scroll down and we press this delete button instead of 99 post but if we delete one of these top nine now we have 98 posts now we have 97 post and if we scroll down and we delete something that's not in the top seven now then it doesn't work so that's using the user can so the user model has a can't function on another thing we can do is we can add it as a middleware and this one's pretty cool so we can say route delete and then we're gonna say middleware equals post dot delete or can and then delete post just like that now it properly works for the top seven but if we scroll down we get unauthorized the user is unauthorized to run this action or to implement this ability on a post and that's because we added this middleware can delete post it's the last thing that we can do is if we want to authorize it but we want to authorize it within the callback within the controller and not as middleware we can say this authorize and then we can say delete post and again if we go back to our post we try to scroll down and we try to delete a post it's still unauthorized so that's how we can set up and use policies on middleware or as middleware and within the controller its self now if we look at policy methods and if you remember from the previous video about gates I said gates are a lot like routes and policies are a lot like controllers well notice that each controller method actually maps to a policy method so the controller index maps to view any show as view creators create stores also create edit is update update as update destroy is delete so what we can actually do is we can do this you say ok in our controller we're going to add a constructor public function construct and we're going to say this authorized resource on the post class and the parameter is going to be post now what is this going to do well this allows us to remove this authorized method here and automatically before any of our post controller methods or callbacks or actions are hit it's going to check the Associated policy so when I say associate I mean like the index maps to view any and the create maps to create store maps to create views if you can't even see the form to create it you obviously can't store it and this is show as view edit is edit I believe so on so by setting it up in the constructor like that we are able to simply say ok every single one of our controller methods is automatically going to check the policy so if we go back to our page and we reload our page ok we're gonna get the view any but check this out if we try to scroll down we try to delete we still get unauthorized so if we were to actually go to our post policy and say ok delete is now true every single time no matter what then we go back to posts then we can delete anything so let's scroll down now we can delete so all we did was we said ok hey within our post controller map every single controller callback function to the Associated post policy so for example if we were to go back up to the une and we said false well our index is automatically checking that so it's going to say unauthorized and that is again because the index maps to the view any policy method and so even though we're not authorizing in the blade even though we're not authorizing in the specific index method we're saying authorize the entire resource and that automatically Maps the given controller callbacks to the policy I guess ability checks we're going to say true again and we're gonna go back to our post controller and we're going to get rid of this what else we can do we're actually now let's keep that let's keep that we're gonna say in our post policy grants a viewing is still false so just to prove that works one more time we're gonna go there reload the page still unauthorized intercepting gate checks remember when we did that we overrode the checks using gate before gate after well check this out if we scroll down policies have the same ability they're called policy filters and all we need to do is on the policy class itself if we go public function before if the user is super admin return true now remember in the gates video we added is super admin to our user class and we're just hard coding true in and so now in our post policy before any gate check we're saying okay if it is the super policy or the super admin if the user is the super admin return true and it works again we overrode both policies so on our post policy we said ok the user can view any we set that to false so we overrode the view any policy but also check this out we have this delete policy right and we're saying that only the user that owns the post can delete the post well if we go back and because we're using that before policy filter we can delete any post 94 if we scroll down and delete one that we 93 so that's policy filters and that is the before hook and you can also change this based on the ability if user is super admin and ability equals delete or ability equals view or and there's a cleaner way to do this ability equals view any then and we have to set that as a method then return true otherwise don't return anything with returns no which basically just says bypass this you know just skip it and then follow the gates so now do you the super admin can delete view any post and view any specific post but the super admin is not able to update another user's post and make it look like they said something that the given user didn't so that is the before filter policies and the last thing I want to show you guys today is that we can actually treat gates very similar to routes so on a route we'll say okay route get and then we're gonna say example route and then we say example controller at test right well on gates we can do the same thing we can do gates and then we're gonna say define then we're gonna say view and we'll call it view post just to clean it up a little bit and then we're gonna say app slash policies slash post policy at view just like that then in our post controller sorry in our post policy we have our view method which is always true right we'll just keep it as true and using that off service provider we now have view post and we're gonna change that real quick we're gonna rename that to all service provider user can view post you know not really good reason to do this other than example but just for the sake of example we'll say for each post as post at can user can view post and then post then we'll say at end can't just like that now if we reload this page this action is unauthorized well that's because in our post controller were already doing that so let's get rid of this and reload the page okay so the user can view the given post but if we go to our post policy and we set this to false then we reload now the user cannot see any of the posts so that's how you can set up gates and policies more like routes and controllers so guys as all I have on laravel 6 authorization policies if this was useful like and subscribe and I will keep them coming next we will get on to form requests form validation form error messages custom form rules and authorization through a form request thanks again guys this is accurate horn with Queen code studio [Music]

Info

Channel: Clean Code Studio

Views: 11,360

Rating: undefined out of 5

Keywords: laravel policies, laravel gates and policies, laravel 6 policies, laravel authorization, laravel 6 authorization, laravel policies via model, laravel policies via controllers, laravel policies via middleware, laravel policies via resourceful controllers, laravel policy filters, laravel gates and policy callbacks, what are laravel policies, laravel gates and policies tutorial, laravel policies example

Id: i3jFziRZrkg

Channel Id: undefined

Length: 23min 50sec (1430 seconds)

Published: Fri Jan 31 2020