Authorization
Introduction
In addition to providing authentication services out of the box, Lumen also provides a simple way to organize authorization logic and control access to resources. There are a variety of methods and helpers to assist you in organizing your authorization logic.
In general, authorization can be used in Lumen the same way it is used in Laravel. We will cover a few differences here, but you should refer to the full Laravel documentation for additional details.
Differences From Laravel
Defining Abilities
The primary difference when using authorization in Lumen compared to Laravel is in regards to how abilities are defined. In Lumen, you may simply use the Gate
facade in your AuthServiceProvider
to define abilities:
Gate::define('update-post', function ($user, $post) {
return $user->id === $post->user_id;
});
Defining Policies
Unlike Laravel, Lumen does not have a $policies
array on its AuthServiceProvider
. However, you may still call the policy
method on the Gate
facade from within the provider's boot
method:
Gate::policy(Post::class, PostPolicy::class);
Again, to learn more about policies, you should consult the full Laravel documentation.
Checking Abilities
You may "check" abilities just as you would in the full Laravel framework. First, you may use the Gate
facade. If you choose to use the facade, be sure to enable facades in your bootstrap/app.php
file. Remember, we don't need to pass the User
instance into the allows
method since the currently authenticated user will automatically be passed to your authorization callback:
if (Gate::allows('update-post', $post)) {
//
}
if (Gate::denies('update-post', $post)) {
abort(403);
}
Of course, you may also check if a given User
instance has a given ability:
if ($request->user()->can('update-post', $post)) {
abort(403);
}
if ($request->user()->cannot('update-post', $post)) {
abort(403);
}