Sanctum

Beyond Authentication: Why Authorization Matters While authentication verifies a user's identity, authorization defines what they can actually do. Without a robust authorization layer, any logged-in user could potentially delete another person's data or access administrative panels. Laravel provides a clean, expressive API for handling these permissions through two primary mechanisms: **Gates** and **Policies**. Gates offer a quick, closure-based approach for simple checks, while Policies provide a structured, class-based way to organize logic around specific models. Implementing Quick Checks with Gates To start with Gates, you typically register them in the `boot` method of your `AuthServiceProvider`. Using the `Gate::define` method, you specify an ability name and a closure that returns a boolean. Laravel automatically passes the current user into this closure. ```php Gate::define('view-post', function (User $user, Post $post) { return $user->id === $post->user_id; }); ``` You can then protect your routes using methods like `allows`, `denies`, or the more streamlined `authorize`. The `authorize` method is particularly powerful because it automatically throws a 403 exception that the framework catches and turns into a clean HTTP response. Organizing Logic with Policies As your application grows, the `AuthServiceProvider` becomes cluttered. This is where **Policies** shine. By running `php artisan make:policy PostPolicy`, you create a dedicated class to house all logic related to a specific model. Laravel uses naming conventions to automatically discover these policies. If your model is `Post`, it looks for `PostPolicy` in the `app/Policies` directory. ```php public function view(User $user, Post $post) { return $user->id === $post->user_id; } ``` Handling Actions Without Models Sometimes you need to authorize actions that haven't happened yet, like creating a new post. Since there is no post instance to pass to the Gate, you pass the class name instead. This tells Laravel which policy to look up even in the absence of a specific database record. ```php // In the controller or route closure Gate::authorize('create', Post::class); ``` Customizing the Denial Experience By default, Laravel returns a generic "This action is unauthorized" message. To improve user experience, return a `Response::deny` from your policy method. This allows you to provide specific feedback, such as "You must be an administrator to perform this action," which is much more helpful for the end-user.