LaravelHow-ToBeginner · 4 min read

How to Use Gate in Laravel for Authorization

In Laravel, Gate is used to define authorization rules that determine if a user can perform certain actions. You define gates in the AuthServiceProvider using Gate::define, then check them in your code with Gate::allows or the can helper.

📐

Syntax

Laravel gates are defined using Gate::define('ability', callback). The ability is a string name for the action, and the callback receives the user and any additional parameters to decide if the action is authorized.

To check a gate, use Gate::allows('ability', parameters) which returns true or false. You can also use the can helper in Blade or controllers.

php

use Illuminate\Support\Facades\Gate;

// Define a gate
Gate::define('update-post', function ($user, $post) {
    return $user->id === $post->user_id;
});

// Check a gate
if (Gate::allows('update-post', $post)) {
    // The user can update the post
}

💻

Example

This example shows how to define a gate to allow users to update only their own posts and how to check this gate in a controller.

php

<?php

namespace App\Providers;

use Illuminate\Support\Facades\Gate;
use Illuminate\Foundation\Support\Providers\AuthServiceProvider as ServiceProvider;
use App\Models\Post;

class AuthServiceProvider extends ServiceProvider
{
    public function boot()
    {
        $this->registerPolicies();

        Gate::define('update-post', function ($user, Post $post) {
            return $user->id === $post->user_id;
        });
    }
}

// In a controller method
use Illuminate\Support\Facades\Gate;
use App\Models\Post;

public function update(Post $post)
{
    if (Gate::denies('update-post', $post)) {
        abort(403, 'Unauthorized action.');
    }

    // Proceed with update
    return 'Post updated successfully.';
}

Output

Post updated successfully.

⚠️

Common Pitfalls

Defining gates outside AuthServiceProvider can cause them not to register.
Forgetting to pass the model instance as a parameter when checking the gate leads to incorrect authorization.
Using Gate::allows instead of Gate::denies or vice versa can cause logic errors.
Not calling $this->registerPolicies() in AuthServiceProvider can prevent gates from working.

php

<?php
// Wrong: Gate defined outside AuthServiceProvider
Gate::define('delete-post', function ($user, $post) {
    return $user->id === $post->user_id;
});

// Right: Define inside AuthServiceProvider boot method
public function boot()
{
    $this->registerPolicies();

    Gate::define('delete-post', function ($user, $post) {
        return $user->id === $post->user_id;
    });
}

📊

Quick Reference

Method	Description
Gate::define('ability', callback)	Define a new gate with a name and logic
Gate::allows('ability', parameters)	Check if the user is authorized (returns true/false)
Gate::denies('ability', parameters)	Check if the user is not authorized
can('ability', parameters)	Helper to check gate in Blade or controllers
$this->authorize('ability', parameters)	Throw 403 if unauthorized in controllers

✅

Key Takeaways

Define gates inside AuthServiceProvider's boot method using Gate::define.

Use Gate::allows or the can helper to check user permissions.

Always pass necessary model instances when checking gates.

Call $this->registerPolicies() in AuthServiceProvider to enable gates.

Use Gate::denies or $this->authorize for clearer authorization logic.