When building web applications, it’s critical to manage user permissions effectively to ensure that each user is allowed to view or interact with the appropriate content. Laravel, a robust PHP framework, provides various ways to handle authorization. In Blade templates, Laravel’s templating engine, you can conditionally display elements based on the user’s permissions.

This tutorial will guide you through the process of verifying permissions in Blade templates, from basic examples to advanced usage. We’ll cover the built-in directives, using policies, and some best practices that will help you manage permissions efficiently. Let’s dive in.

Understanding Authorization in Laravel

Laravel provides two primary ways of handling authorization: gates and policies. Gates are closures that determine if a user is authorized to perform a given action, and policies are classes that organize authorization logic around a particular model or resource.

Defining Gates and Policies

// Example of defining a gate in AuthServiceProvider
Gate::define('edit-post', function ($user, $post) {
    return $user->id === $post->user_id;
});

// Example of a policy method
public function update(User $user, Post $post)
{
    return $user->id === $post->user_id;
}

Basic Examples of Verifying Permissions

Let’s start with the basics of authorizing actions within Blade templates

Using the @can Directive

<!-- Check if a user can edit a post within a Blade template -->
@can('edit-post', $post)
    <button>Edit Post</button>
@endcan

The code above will only render the ‘Edit Post’ button if the signed-in user is authorized to edit the specified post. The @can directive accepts two arguments: the ability and the related model.

Using the @cannot Directive

<!-- Opposite of @can. If a user cannot edit a post, show a message -->
@cannot('edit-post', $post)
    <p>You do not have permission to edit this post.</p>
@endcannot

The @cannot directive functions as the opposite of @can, displaying content when a user is not authorized to perform the action.

Advance Usage of Permission Verification

Inline Policies in Blade

While you may define a separate method for each action within your policy classes, you can also write inline policies directly in your Blade files, using the same @can and @cannot directives.

Displaying Different Content Based on Permissions

<!-- Using @can and @else to show different content -->
@can('edit-post', $post)
    <button>Edit Post</button>
@else
    <p>Only the author can edit this post.</p>
@endcan

In this scenario, the user will see an ‘Edit Post’ button if they can edit the post, and a message if they cannot.

Checking Multiple Permissions

There could be cases where you need to check for multiple permissions at once. Laravel implements this quite easily.

Using @canany Directive

@canany(['publish-post', 'unpublish-post'], $post)
    <button>Publish/Unpublish Post</button>
@elsecan('edit-post', $post)
    <button>Edit Post</button>
@else
    <p>You cannot manage this post.</p>
@endcanany

The @canany directive will render the button if the user has any of the specified abilities.

Conclusion

Authorization in Laravel Blade templates is powerful and flexible. With directives like @can, @cannot, and @canany, you can fine-tune what users can see and do within your application’s templates. By following the practices outlined in this guide, you’ll be well on your way to constructing a secure and user-friendly application.

Next Article: Laravel Learning Path for Non-Experienced Developers

Previous Article: Authorization Role in Laravel: A Practical Guide

Series: Laravel & Eloquent Tutorials

PHP