Agent skill
laravel-policies
Authorization policies for resource access control. Use when working with authorization, permissions, access control, or when user mentions policies, authorization, permissions, can, ability checks.
Stars
163
Forks
31
Install this agent skill to your Project
npx add-skill https://github.com/majiayu000/claude-skill-registry/tree/main/skills/devops/laravel-policies
SKILL.md
Laravel Policies
Policies encapsulate authorization logic and delegate to permission systems.
Related guides:
- routing-permissions.md - Route-level authorization
- Enums - Permission enums
Structure
php
<?php
declare(strict_types=1);
namespace App\Policies;
use App\Enums\Permission;
use App\Models\Order;
use App\Models\User;
class OrderPolicy
{
public function viewAny(User $user): bool
{
return $user->can(Permission::ListOrders);
}
public function view(User $user, Order $order): bool
{
return $user->can(Permission::ViewOrders)
&& $order->customer_id === $user->customer_id;
}
public function create(User $user): bool
{
return $user->can(Permission::CreateOrders);
}
public function update(User $user, Order $order): bool
{
return $user->can(Permission::UpdateOrders)
&& $order->canBeModified()
&& $order->customer_id === $user->customer_id;
}
public function delete(User $user, Order $order): bool
{
return $user->can(Permission::DeleteOrders)
&& $order->isPending();
}
public function cancel(User $user, Order $order): bool
{
return $this->update($user, $order)
&& $order->canBeCancelled();
}
}
Permission Enum
php
<?php
declare(strict_types=1);
namespace App\Enums;
use Henzeb\Enumhancer\Concerns\Comparison;
use Henzeb\Enumhancer\Concerns\Dropdown;
enum Permission: string
{
use Comparison, Dropdown;
case ListOrders = 'list orders';
case ViewOrders = 'view orders';
case CreateOrders = 'create orders';
case UpdateOrders = 'update orders';
case DeleteOrders = 'delete orders';
case CancelOrders = 'cancel orders';
}
Standard Policy Methods
Laravel conventions for policy methods:
viewAny()- List/indexview()- Show single resourcecreate()- Create new resourceupdate()- Update resourcedelete()- Delete resourcerestore()- Restore soft-deletedforceDelete()- Permanently delete
Custom methods for non-standard actions:
cancel()approve()ship()- etc.
Key Patterns
1. Delegate to Permission System
php
return $user->can(Permission::CreateOrders);
2. Ownership Checks
php
return $user->can(Permission::ViewOrders)
&& $order->customer_id === $user->customer_id;
3. State Checks
php
return $user->can(Permission::DeleteOrders)
&& $order->isPending();
4. Combine Existing Methods
php
public function cancel(User $user, Order $order): bool
{
return $this->update($user, $order)
&& $order->canBeCancelled();
}
Usage in Routes
php
Route::get('/orders', [OrderController::class, 'index'])
->can('viewAny', Order::class);
Route::get('/orders/{order}', [OrderController::class, 'show'])
->can('view', 'order');
Route::post('/orders', [OrderController::class, 'store'])
->can('create', Order::class);
See routing-permissions.md for route authorization.
Summary
Policies should:
- Use permission enums (not strings)
- Check ownership when needed
- Check state when needed
- Delegate to permission system
- Follow Laravel naming conventions
- Stay simple and focused
Didn't find tool you were looking for?