[Docs] Update Gate examples for Laravel 11

spatie · May 2, 2024 · 51e3a75 · 51e3a75
1 parent da5c8bc
commit 51e3a75
Show file tree

Hide file tree

Showing 2 changed files with 73 additions and 16 deletions.
diff --git a/docs/basic-usage/super-admin.md b/docs/basic-usage/super-admin.md
@@ -11,21 +11,18 @@ Then you can implement the best-practice of primarily using permission-based con
 ## `Gate::before`
 If you want a "Super Admin" role to respond `true` to all permissions, without needing to assign all those permissions to a role, you can use [Laravel's `Gate::before()` method](https://laravel.com/docs/master/authorization#intercepting-gate-checks). For example:
 
+In Laravel 11 this would go in the `boot()` method of `AppServiceProvider`:
+In Laravel 10 and below it would go in the `boot()` method of `AuthServiceProvider.php`:
 ```php
 use Illuminate\Support\Facades\Gate;
-
-class AuthServiceProvider extends ServiceProvider
+// ...
+public function boot()
 {
-    public function boot()
-    {
-//...
-
-        // Implicitly grant "Super Admin" role all permissions
-        // This works in the app by using gate-related functions like auth()->user->can() and @can()
-        Gate::before(function ($user, $ability) {
-            return $user->hasRole('Super Admin') ? true : null;
-        });
-    }
+    // Implicitly grant "Super Admin" role all permissions
+    // This works in the app by using gate-related functions like auth()->user->can() and @can()
+    Gate::before(function ($user, $ability) {
+        return $user->hasRole('Super Admin') ? true : null;
+    });
 }
 ```
 
@@ -37,11 +34,11 @@ Jeffrey Way explains the concept of a super-admin (and a model owner, and model
 
 If you aren't using `Gate::before()` as described above, you could alternatively grant super-admin control by checking the role in individual Policy classes, using the `before()` method.
 
-Here is an example from the [Laravel Documentation on Policy Filters](https://laravel.com/docs/master/authorization#policy-filters)
+Here is an example from the [Laravel Documentation on Policy Filters](https://laravel.com/docs/master/authorization#policy-filters), where you can define `before()` in your Policy where needed:
 
 ```php
-use App\Models\User; // could be any model
- 
+use App\Models\User; // could be any Authorizable model
+
 /**
  * Perform pre-authorization checks on the model.
  */

diff --git a/docs/best-practices/using-policies.md b/docs/best-practices/using-policies.md
@@ -9,4 +9,64 @@ Using Policies allows you to simplify things by abstracting your "control" rules
 
 Jeffrey Way explains the concept simply in the [Laravel 6 Authorization Filters](https://laracasts.com/series/laravel-6-from-scratch/episodes/51) and [policies](https://laracasts.com/series/laravel-6-from-scratch/episodes/63) videos and in other related lessons in that chapter. He also mentions how to set up a super-admin, both in a model policy and globally in your application.
 
-You can find an example of implementing a model policy with this Laravel Permissions package in this demo app: [https://github.com/drbyte/spatie-permissions-demo/blob/master/app/Policies/PostPolicy.php](https://github.com/drbyte/spatie-permissions-demo/blob/master/app/Policies/PostPolicy.php)
+Here's an example of a PostPolicy which could control access to Post model records:
+```php
+<?php
+namespace App\Policies;
+
+use App\Models\Post;
+use App\Models\User;
+use Illuminate\Auth\Access\HandlesAuthorization;
+
+class PostPolicy
+{
+    use HandlesAuthorization;
+
+    public function view(?User $user, Post $post)
+    {
+        if ($post->published) {
+            return true;
+        }
+
+        // visitors cannot view unpublished items
+        if ($user === null) {
+            return false;
+        }
+
+        // admin overrides published status
+        if ($user->can('view unpublished posts')) {
+            return true;
+        }
+
+        // authors can view their own unpublished posts
+        return $user->id == $post->user_id;
+    }
+
+    public function create(User $user)
+    {
+        return ($user->can('create posts'));
+    }
+
+    public function update(User $user, Post $post)
+    {
+        if ($user->can('edit own posts')) {
+            return $user->id == $post->user_id;
+        }
+
+        if ($user->can('edit all posts')) {
+            return true;
+        }
+    }
+
+    public function delete(User $user, Post $post)
+    {
+        if ($user->can('delete own posts')) {
+            return $user->id == $post->user_id;
+        }
+
+        if ($user->can('delete any post')) {
+            return true;
+        }
+    }
+}
+```