Laravel: Difference Between Route Middleware and Policy

Question

Developing an app with laravel I realised that what can be done with Policy can exactly be done with Middleware. Say I want to prevent a user from upda

Answer 1

I have asked myself the same question. In practice, I predominantly use middleware. My most common usage is when authorisation is only allowed for a specific user, for instance:

public function update(User $user, user $model)
{
    return $user->id === $model->id;
}

Though, even in the instance above, Yes, one could do without it and write their own logic in the controller to do the same thing.

I also like the before method, which I use to allow the administrator full-privileges for a model, for example:

public function before($user, $ability)
{
    if ($user->admin === 1) {
        return true;
    }
}

The main reason, though, why I have started to use Policies on some Laravel projects is because of what you can do with blade. If you find yourself setting permissions numerous times for the same user authorisation in your blade files, for example, to show an edit button, then Policies may become very useful because you can do the following with them (and more):

@can('update', $post)
Edit Post
@endcan

@cannot('create', App\Models\Post::class)
You are not allowed to create a post
@endcannot

I sometimes find these Policy-referencing blade methods to be super useful, when wanting to group authorisation in one place.