Demystifying Gates in Laravel

I found gates a bit confusing for quite some time. I just ignored them for the first couple of years developing Laravel applications. I was confused by the naming and wasn’t sure exactly what they were.

Let me get this out of the way:

Gates are permissions.

That should clarify a lot of the confusion. They’re simply portable logic you can check for across your app. For example, you can define a gate in a service provider. This example is from the docs:

    Gate::define('update-post', function (User $user, Post $post) {
        return $user->id === $post->user_id;
    });

Now, we can check for this in several different places in our app. For example, our controller (another example from the docs):

class PostController extends Controller
{
    public function update(Request $request, Post $post)
    {
        if (! Gate::allows('update-post', $post)) {
            abort(403);
        }

        // Update the post...
    }
}

You can also reference it in things like a blade file:

@can('update-post')
<a href="{{ route('posts.edit', ['post' => $post]) }}">Update</a>
@endcan

Use Policies Instead

Now that you get an idea of what gates are, my strong suggestion is to use policies instead.

Policies are classes with related methods around a particular model or idea. When creating a policy for a model, you can pass the --model=Post flag which will create a policy with authorization logic around each CRUD (create, read, update, delete) operation on your model.

Here’s an example of a model policy class:

class PostPolicy {

  public function view(User $user, Post $post)
  {
     // ...
  }

  public function create(User $user)
  {
     // ...
  }

  public function update(User $user, Post $post)
  {
     // ...
  }

  public function delete(User $user, Post $post)
  {
     // ...
  }
}

You don’t need to manually write various gates in your service provider. You can simply create a model policy, and Laravel provides an easy API throughout the app to use this policy.

This is an example from the docs of what a check looks like in a policy:

class PostPolicy
{
    // ...

    public function update(User $user, Post $post)
    {
        return $user->id === $post->user_id;
    }
}

Now we can easily check against this logic in places like our routes file:

Route::get('/posts/{post}/edit', [PostsController::class, 'update'])->middleware('can:update,post');

The cool part about the snippet above is ->middleware('can:update,post'); method.

In a single line of code, it creates a middleware that will automatically return an 403 if it fails the update method in our policy above.

So that’s all gates are! Permissions. Nothing scary. But these days I exclusively use Policy classes, as well as Spatie’s Laravel Permissions package.

Happy coding 🥳