Laravel的授權(quán)系統(tǒng)通過(guò)Gates和Policies提供強(qiáng)大的訪問(wèn)控制。1. Gates用于簡(jiǎn)單的操作檢查，如“創(chuàng)建管理員文章”，通過(guò)閉包定義權(quán)限并在控制器或視圖中使用Gate::allows或@can進(jìn)行驗(yàn)證；2. Policies用于基于模型的授權(quán)邏輯，如編輯或刪除特定文章，通過(guò)Artisan生成策略類(lèi)并注冊(cè)到AuthServiceProvider，然后在控制器中使用$this->authorize觸發(fā)對(duì)應(yīng)策略方法；3. Gates和Policies可結(jié)合使用，Gates處理全局權(quán)限如“管理用戶(hù)”，Policies處理模型實(shí)例權(quán)限，并自動(dòng)映射控制器方法名到策略方法；4. 默認(rèn)情況下未授權(quán)會(huì)拋出AuthorizationException，可通過(guò)重寫(xiě)異常處理器自定義響應(yīng)，如返回JSON格式錯(cuò)誤信息。該系統(tǒng)靈活且無(wú)需第三方擴(kuò)展即可滿(mǎn)足大多數(shù)應(yīng)用需求。

Laravel’s authorization system is powerful and straightforward once you get the hang of it. At its core, it gives you tools like Gates and Policies to control who can access certain actions or resources in your app. You don’t need to use third-party packages if all you want is basic or even moderately complex access control — Laravel has you covered out of the box.

Let’s break down how to use it effectively.

1. Start with Gates for Simple Checks

Gates are closure-based checks that determine whether a user can perform a specific action. They’re great for one-off checks or when the logic doesn’t tie directly to a model.

For example, checking if a user can create an admin post:

Gate::define('create-admin-post', function ($user) {
    return $user->isAdmin();
});

Then in your controller or blade view, you can check like this:

if (Gate::allows('create-admin-post')) {
    // Let them proceed
}

Or in Blade:

@can('create-admin-post')
    <button>Create Admin Post</button>
@endcan

Tip: Use gates for general permissions that don’t revolve around a specific model instance, like “delete any post” or “access dashboard”.

2. Use Policies for Model-Based Authorization

When your authorization logic is tied to a specific model — like checking if a user can edit or delete a post — policies are the way to go.

First, generate a policy using Artisan:

php artisan make:policy PostPolicy --model=Post

This creates a file in app/Policies/PostPolicy.php. Then register it in AuthServiceProvider:

protected $policies = [
    Post::class => PostPolicy::class,
];

In your policy class, define methods like update, delete, etc. For example:

public function update(User $user, Post $post)
{
    return $user->id === $post->author_id;
}

Now in your controller, you can do:

$this->authorize('update', $post);

If the user isn't allowed, Laravel will throw an AuthorizationException.

Note: If you're working with APIs or need custom responses, wrap this in a try/catch block or handle it globally via exception rendering.

3. Combine Gates and Policies for Flexibility

You don’t have to pick just one. You can mix Gates and Policies based on context.

• Use Gates for global permissions like "manage users", "view analytics".
• Use Policies when dealing with specific model instances.

Also, remember that policies automatically map controller method names (view, create, update, delete) to corresponding policy methods. That means if you call $this->authorize('update', $post) in your controller, Laravel knows to look for the update method in the policy.

4. Handle Unauthorized Access Gracefully

By default, Laravel throws an AuthorizationException when someone tries to do something they shouldn’t. But you might want to customize the response, especially for JSON APIs.

In App/Exceptions/Handler.php, you can catch this and return a 403 or custom message:

use Illuminate\Auth\Access\AuthorizationException;

public function render($request, Throwable $exception)
{
    if ($exception instanceof AuthorizationException) {
        return response()->json(['error' => 'You are not authorized to do this.'], 403);
    }

    return parent::render($request, $exception);
}

That's basically it. Laravel’s built-in authorization system is flexible enough for most apps, and combining Gates and Policies gives you fine-grained control without bloating your code. It’s not overly flashy, but it gets the job done well — as long as you understand when to use each part.

以上是如何使用Laravel的授權(quán)系統(tǒng)來(lái)控制對(duì)資源的訪問(wèn)？的詳細(xì)內(nèi)容。更多信息請(qǐng)關(guān)注PHP中文網(wǎng)其他相關(guān)文章！