laravel-policies

Original：🇺🇸 English

Translated

Authorization policies for resource access control. Use when working with authorization, permissions, access control, or when user mentions policies, authorization, permissions, can, ability checks.

2installs

Sourceleeovery/claude-laravel

Added on2026-02-21

NPX Install

npx skill4agent add leeovery/claude-laravel laravel-policies

SKILL.md Content

View Translation Comparison →

Laravel Policies

Policies encapsulate authorization logic and delegate to permission systems.

Related guides:

routing-permissions.md - Route-level authorization
Enums - Permission enums

Structure

php

<?php

declare(strict_types=1);

namespace App\Policies;

use App\Enums\Permission;
use App\Models\Order;
use App\Models\User;

class OrderPolicy
{
    public function viewAny(User $user): bool
    {
        return $user->can(Permission::ListOrders);
    }

    public function view(User $user, Order $order): bool
    {
        return $user->can(Permission::ViewOrders)
            && $order->customer_id === $user->customer_id;
    }

    public function create(User $user): bool
    {
        return $user->can(Permission::CreateOrders);
    }

    public function update(User $user, Order $order): bool
    {
        return $user->can(Permission::UpdateOrders)
            && $order->canBeModified()
            && $order->customer_id === $user->customer_id;
    }

    public function delete(User $user, Order $order): bool
    {
        return $user->can(Permission::DeleteOrders)
            && $order->isPending();
    }

    public function cancel(User $user, Order $order): bool
    {
        return $this->update($user, $order)
            && $order->canBeCancelled();
    }
}

Permission Enum

php

<?php

declare(strict_types=1);

namespace App\Enums;

use Henzeb\Enumhancer\Concerns\Comparison;
use Henzeb\Enumhancer\Concerns\Dropdown;

enum Permission: string
{
    use Comparison, Dropdown;

    case ListOrders = 'list orders';
    case ViewOrders = 'view orders';
    case CreateOrders = 'create orders';
    case UpdateOrders = 'update orders';
    case DeleteOrders = 'delete orders';
    case CancelOrders = 'cancel orders';
}

Standard Policy Methods

Laravel conventions for policy methods:

```
viewAny()
```
- List/index
```
view()
```
- Show single resource
```
create()
```
- Create new resource
```
update()
```
- Update resource
```
delete()
```
- Delete resource
```
restore()
```
- Restore soft-deleted
```
forceDelete()
```
- Permanently delete

Custom methods for non-standard actions:

```
cancel()
```
```
approve()
```
```
ship()
```
etc.

Key Patterns

1. Delegate to Permission System

php

return $user->can(Permission::CreateOrders);

2. Ownership Checks

php

return $user->can(Permission::ViewOrders)
    && $order->customer_id === $user->customer_id;

3. State Checks

php

return $user->can(Permission::DeleteOrders)
    && $order->isPending();

4. Combine Existing Methods

php

public function cancel(User $user, Order $order): bool
{
    return $this->update($user, $order)
        && $order->canBeCancelled();
}

Usage in Routes

php

Route::get('/orders', [OrderController::class, 'index'])
    ->can('viewAny', Order::class);

Route::get('/orders/{order}', [OrderController::class, 'show'])
    ->can('view', 'order');

Route::post('/orders', [OrderController::class, 'store'])
    ->can('create', Order::class);

See routing-permissions.md for route authorization.

Summary

Policies should:

Use permission enums (not strings)
Check ownership when needed
Check state when needed
Delegate to permission system
Follow Laravel naming conventions
Stay simple and focused