Controlling what users can or cannot do in your application is one of the most essential things you'll need to do when building real-world applications.
For example, in a todo application, you don't want a user to be able to edit or delete other users' todos.
In this article, you will learn one of the seamless ways to do this in Laravel by using policies to control what users can do by building a simple todo application.
To follow along with this tutorial, you need to have a basic understanding of Laravel and its application structure.
Create a Base Application
Run the following command to create a new Laravel application in your desired folder and move into it:
composer create-project laravel/laravel todo-app && cd todo-app
Next, run the following command to install Laravel Breeze:
php artisan breeze:install
Breeze will scaffold your new application with authentication so your users can register, log in, log out, and view their personalized dashboards.
After that, compile your application assets by running the following commands:
npm install && npm run dev
Laravel comes with the file-based SQLite database by default, so the next thing you need to do is connect your application database file to a database viewer like TablePlus or any other one you like.
After connecting your database to the viewer, run the following commands to migrate the available tables into your database:
php artisan migrate
Once that is done, run the following command to view your application in the browser:
php artisan serve
You should now see your new Laravel application at localhost:8000 looking like this:
You can now go to the register page to create a user and access the dashboard, which is the entire application at this point.
Model Setup
Models in Laravel are used to control database tables. Use the following command to create a Todo model in the App/Models folder:
php artisan make:model Todo
Next, inside the newly created file, replace the Todo class with the following code:
class Todo extends Model
{
use HasFactory;
protected $fillable = [
'title',
'description',
'completed',
'user_id'
];
public function user()
{
return $this->belongsTo(User::class);
}
}
The code above will enable users to submit a form with the $fillable properties; it also defines the relationship between a user and a Todo; in this case, a todo belongs to a user. Let's complete the relationship setup by adding the following code to the App/Models/User.php file:
public function todos()
{
return $this->hasMany(Todo::class);
}
The code above will connect the User model to the Todo model so that it can have many to-dos.
Migration Setup
Migrations in Laravel are used to specify what should be in a database table. Run the following command to create a migration inside the database/migrations folder:
composer create-project laravel/laravel todo-app && cd todo-app
Next, replace the up function in the new file with the following that will add the todo table to the database with the id, user_id, title, description, completed, and timestamp columns:
php artisan breeze:install
Next, run the following command to add the todos table to the database:
npm install && npm run dev
Policy Setup
Policies in Laravel allow you to define who can do what with a particular resource, in this case, todos.
Let's see how that works by generating a TodoPolicy inside the App/Policies folder using the following command:
php artisan migrate
Next, in the newly created TodoPolicy file, replace the TodoPolicy class with the following code:
php artisan serve
The code above specifies that a user can create a todo, but can only view, update, or delete a todo that belongs to them.
Next, let's set up the controller in the next section.
Controller Setup
Controllers in Laravel control the app's functionality for a particular resource. Run the following command to generate a TodoController inside the App/Http/Controllers:
php artisan make:model Todo
Add the following code to the top of the newly created TodoController file to import the Todo model for database operations and Gate class for authorization:
class Todo extends Model
{
use HasFactory;
protected $fillable = [
'title',
'description',
'completed',
'user_id'
];
public function user()
{
return $this->belongsTo(User::class);
}
}
Index Method
Replace the index method with the following code that fetches and returns all the logged-in users' todos:
public function todos()
{
return $this->hasMany(Todo::class);
}
The Gate::authorize method verifies that the user is logged in using the viewAny policy method you defined in the previous section.
Create Method
Replace the create method with the following code that verifies the user is signed in before returning the create todo form to the user so they can create todos:
php artisan make:migration create_todos_table
Store Method
Replace the store method with the following code that checks if the user can create a todo, validates the request, creates the todo, and redirects the user to the todo list page:
public function up(): void
{
Schema::create('todos', function (Blueprint $table) {
$table->id();
$table->foreignId('user_id')->constrained()->onDelete('cascade');
$table->string('title');
$table->text('description')->nullable();
$table->boolean('completed')->default(false);
$table->timestamps();
});
}
Edit Method
Replace the edit method with the following code that verifies the user can edit that todo before returning the edit todo form populated with the selected todo to the user so they can edit it:
php artisan migrate
Update Method
Replace the update method with the following code that checks if the user can update the todo, validates the request, updates the selected todo, and redirects the user to the todo list page:
php artisan make:policy TodoPolicy --model=Todo
Destroy Method
Replace the destroy method with the following code that checks if the user can delete the todo, deletes it, and redirects the user to the todo list page:
class TodoPolicy
{
/**
* Determine if the user can view any todos.
*/
public function viewAny(User $user): bool
{
return true;
}
/**
* Determine if the user can view the todo.
*/
public function view(User $user, Todo $todo): bool
{
return $user->id === $todo->user_id;
}
/**
* Determine if the user can create todos.
*/
public function create(User $user): bool
{
return true;
}
/**
* Determine if the user can update the todo.
*/
public function update(User $user, Todo $todo): bool
{
return $user->id === $todo->user_id;
}
/**
* Determine if the user can delete the todo.
*/
public function delete(User $user, Todo $todo): bool
{
return $user->id === $todo->user_id;
}
}
Your TodoController file should now look like this:
composer create-project laravel/laravel todo-app && cd todo-app
Views Setup
Now that your TodoController methods are all set, you can now create the views for your applications by creating a new todos folder inside the resources/views folder. After that, create create.blade.php, edit.blade.php, index.blade.php files in the new todos folder.
Index View
Paste the following code inside the index.blade.php:
php artisan breeze:install
Create View
Paste the following code inside the create.blade.php:
npm install && npm run dev
Edit View
Paste the following code inside the edit.blade.php:
php artisan migrate
Routes Setup
Handling routes for your TodoController is relatively straightforward using the resource method in Laravel. Do that by adding the following code to the end of the routes/web.php folder like so:
php artisan serve
The code above uses the auth middleware to protect the todos resource. You should now be able to visit the following routes in your application after being logged in:
- /todos: List all users' todos
- /todos/create: Shows the form for creating todos
- /todos/edit/1: Shows the form for editing a todo with the given id; 1 in this case.
You can now create, edit, and delete todos, BUT only as a logged-in user and the owner of the selected todos in the case of editing and deleting.
Conclusion
And that's it! You have just created a realistic todo application that allows users to create, view, edit, and delete ONLY their own todos. Please let me know if you have any corrections, suggestions, or questions in the comments!
Finally, remember to follow me here on Dev, LinkedIn, and Twitter. Thank you so much for reading, and I'll see you in the next one!
The above is the detailed content of Authorization: Understanding Policies in Laravel. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undress AI Tool
Undress images for free
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
PHP Variable Scope Explained
Jul 17, 2025 am 04:16 AM
Common problems and solutions for PHP variable scope include: 1. The global variable cannot be accessed within the function, and it needs to be passed in using the global keyword or parameter; 2. The static variable is declared with static, and it is only initialized once and the value is maintained between multiple calls; 3. Hyperglobal variables such as $_GET and $_POST can be used directly in any scope, but you need to pay attention to safe filtering; 4. Anonymous functions need to introduce parent scope variables through the use keyword, and when modifying external variables, you need to pass a reference. Mastering these rules can help avoid errors and improve code stability.
How to handle File Uploads securely in PHP?
Jul 08, 2025 am 02:37 AM
To safely handle PHP file uploads, you need to verify the source and type, control the file name and path, set server restrictions, and process media files twice. 1. Verify the upload source to prevent CSRF through token and detect the real MIME type through finfo_file using whitelist control; 2. Rename the file to a random string and determine the extension to store it in a non-Web directory according to the detection type; 3. PHP configuration limits the upload size and temporary directory Nginx/Apache prohibits access to the upload directory; 4. The GD library resaves the pictures to clear potential malicious data.
Commenting Out Code in PHP
Jul 18, 2025 am 04:57 AM
There are three common methods for PHP comment code: 1. Use // or # to block one line of code, and it is recommended to use //; 2. Use /.../ to wrap code blocks with multiple lines, which cannot be nested but can be crossed; 3. Combination skills comments such as using /if(){}/ to control logic blocks, or to improve efficiency with editor shortcut keys, you should pay attention to closing symbols and avoid nesting when using them.
How Do Generators Work in PHP?
Jul 11, 2025 am 03:12 AM
AgeneratorinPHPisamemory-efficientwaytoiterateoverlargedatasetsbyyieldingvaluesoneatatimeinsteadofreturningthemallatonce.1.Generatorsusetheyieldkeywordtoproducevaluesondemand,reducingmemoryusage.2.Theyareusefulforhandlingbigloops,readinglargefiles,or
Tips for Writing PHP Comments
Jul 18, 2025 am 04:51 AM
The key to writing PHP comments is to clarify the purpose and specifications. Comments should explain "why" rather than "what was done", avoiding redundancy or too simplicity. 1. Use a unified format, such as docblock (/*/) for class and method descriptions to improve readability and tool compatibility; 2. Emphasize the reasons behind the logic, such as why JS jumps need to be output manually; 3. Add an overview description before complex code, describe the process in steps, and help understand the overall idea; 4. Use TODO and FIXME rationally to mark to-do items and problems to facilitate subsequent tracking and collaboration. Good annotations can reduce communication costs and improve code maintenance efficiency.
Quick PHP Installation Tutorial
Jul 18, 2025 am 04:52 AM
ToinstallPHPquickly,useXAMPPonWindowsorHomebrewonmacOS.1.OnWindows,downloadandinstallXAMPP,selectcomponents,startApache,andplacefilesinhtdocs.2.Alternatively,manuallyinstallPHPfromphp.netandsetupaserverlikeApache.3.OnmacOS,installHomebrew,thenrun'bre
How to access a character in a string by index in PHP
Jul 12, 2025 am 03:15 AM
In PHP, you can use square brackets or curly braces to obtain string specific index characters, but square brackets are recommended; the index starts from 0, and the access outside the range returns a null value and cannot be assigned a value; mb_substr is required to handle multi-byte characters. For example: $str="hello";echo$str[0]; output h; and Chinese characters such as mb_substr($str,1,1) need to obtain the correct result; in actual applications, the length of the string should be checked before looping, dynamic strings need to be verified for validity, and multilingual projects recommend using multi-byte security functions uniformly.
Learning PHP: A Beginner's Guide
Jul 18, 2025 am 04:54 AM
TolearnPHPeffectively,startbysettingupalocalserverenvironmentusingtoolslikeXAMPPandacodeeditorlikeVSCode.1)InstallXAMPPforApache,MySQL,andPHP.2)Useacodeeditorforsyntaxsupport.3)TestyoursetupwithasimplePHPfile.Next,learnPHPbasicsincludingvariables,ech
