Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

Puankare's avatar

Laravel Policy implementation

I am new to Laravel and am struggling to implement a simple Policy :)

Just for testing I did ->

/app/Policies/ReleasePolicy.php:

<?php

namespace App\Policies;

use App\Models\Release;
use App\Models\User;
use Illuminate\Auth\Access\Response;

class ReleasePolicy
{
    public function edit(): bool
    {
        return false;
    }
}

routes/web.php:

<?php

use App\Models\Release;
use Illuminate\Support\Facades\Route;
use App\Http\Controllers\ReleaseController;

Route::middleware('auth')->group(function () {
  Route::get('/admin', function () {
    return view('pages.admin');
  })->middleware('can:is-admin')->name('admin');
});


Route::resource('/release', ReleaseController::class);

app/http/controllers/ReleaseController.php:

<?php

namespace App\Http\Controllers;

use App\Models\Release;
use Illuminate\Http\Request;

use Illuminate\Http\RedirectResponse;
use Illuminate\Http\Response;
use Illuminate\View\View;
use App\Http\Requests\ReleaseStoreRequest;
use App\Http\Requests\ReleaseUpdateRequest;

class ReleaseController extends Controller
{
    /**
     * Show the form for editing the specified resource.
     */
    public function edit(Release $release): View
    {
        return view('pages.release.edit', compact('release'));
    }
}

When I go to http://localhost:8000/release/56/edit , it still opens, I expected 403. What am I doing wrong?

I assume the policy is not registered, but why not? The laravel/docs says:

By default, Laravel automatically discover policies as long as the model and policy follow standard Laravel naming conventions. Specifically, the policies must be in a Policies directory at or above the directory that contains your models.

And that's exactly what I did but I think the policy is still not discovered...

0 likes
1 reply
valentin_vranic's avatar

@puankare had some sort of same issue, I ended up using ->can() middleware. I'm using Livewire v3.5.

Have something like this:

Route::get('/call-reiteration', CallReiteration::class)->can('view', CallReiteration::class);

class CallReiterationPolicy
{
    public function update(?User $user, CallReiterationPools $callReiterationPool): Response
    {
        return $user?->client_id === $callReiterationPool->client_id
            ? Response::allow()
            : Response::deny();
    }

    public function view(): bool
    {
        return !(auth()->user()->isSalesLogin());
    }
}

and within Class, where it is needed, use

$this->authorize like $this->authorize('update', $callReiterationPool); or for view $this->authorize('view', $this);

Generate policies with this command, where you can specify the model, and based on it, laravel will generate the policy methods

php artisan make:policy PostPolicy --model=Post

Please or to participate in this conversation.