PHPackages                             gecche/laravel-policy-builder - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Database &amp; ORM](/categories/database)
4. /
5. gecche/laravel-policy-builder

ActiveLibrary[Database &amp; ORM](/categories/database)

gecche/laravel-policy-builder
=============================

A simple way to build allowed list of eloquent models (acl)

v13.0(3mo ago)71.1k1MITPHP

Since Jan 31Pushed 2mo ago2 watchersCompare

[ Source](https://github.com/gecche/laravel-policy-builder)[ Packagist](https://packagist.org/packages/gecche/laravel-policy-builder)[ RSS](/packages/gecche-laravel-policy-builder/feed)WikiDiscussions master Synced 3w ago

READMEChangelogDependencies (14)Versions (26)Used By (0)

[![License](https://camo.githubusercontent.com/30597ff9a350144f03bffdd9183e16468e0b3ca1193e1d08591d992622738d55/687474703a2f2f696d672e736869656c64732e696f2f62616467652f6c6963656e73652d4d49542d627269676874677265656e2e7376673f7374796c653d666c61742d737175617265)](https://tldrlegal.com/license/mit-license)[![Laravel](https://camo.githubusercontent.com/40236e2476ff414887c1d4654db9142ebac4bce19aac8cd02eb1c6d2762deb09/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4c61726176656c2d31332e782d6f72616e67652e7376673f7374796c653d666c61742d737175617265)](http://laravel.com)[![Laravel](https://camo.githubusercontent.com/3ccc671eca69e8695910518f858e08d1f046a75884b69d4821d3ccfcfee3db83/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4c61726176656c2d31322e782d6f72616e67652e7376673f7374796c653d666c61742d737175617265)](http://laravel.com)[![Laravel](https://camo.githubusercontent.com/7894171e4ea959fd933d11c81799acb9b535d48d90bf7bfbc40edefda04374f7/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4c61726176656c2d31312e782d6f72616e67652e7376673f7374796c653d666c61742d737175617265)](http://laravel.com)[![Laravel](https://camo.githubusercontent.com/dc5a02724cce542dca6f1dfd917d7e4dfde8b09e92de6e6a1afe61453eb1c4f4/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4c61726176656c2d31302e782d6f72616e67652e7376673f7374796c653d666c61742d737175617265)](http://laravel.com)[![Laravel](https://camo.githubusercontent.com/f56ee00d0d7664ddea5ef18ba730624857cb9f9a265075a09582d7beaeb8a6c8/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4c61726176656c2d392e782d6f72616e67652e7376673f7374796c653d666c61742d737175617265)](http://laravel.com)[![Laravel](https://camo.githubusercontent.com/8ce0ee8a49efc56b84805856cacdfb6b6dce2a11f7ee9c0b2cf359239298685c/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4c61726176656c2d382e782d6f72616e67652e7376673f7374796c653d666c61742d737175617265)](http://laravel.com)[![Laravel](https://camo.githubusercontent.com/88c14355c6e93c8bf2cb0ae3d78d3934b152943c57124aadbc0fe65e034fb212/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4c61726176656c2d372e782d6f72616e67652e7376673f7374796c653d666c61742d737175617265)](http://laravel.com)[![Laravel](https://camo.githubusercontent.com/d5aa7cb092b46d050964e450a59e858f65b3d9b1f501bdff0d634f2c79d549ab/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4c61726176656c2d362e782d6f72616e67652e7376673f7374796c653d666c61742d737175617265)](http://laravel.com)[![Laravel](https://camo.githubusercontent.com/7d48a347cda33127449307a1ba24bdebf76d226c4f2a1585285c8e968f2666a9/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4c61726176656c2d352e782d6f72616e67652e7376673f7374796c653d666c61742d737175617265)](http://laravel.com)

laravel-policy-builder
======================

[](#laravel-policy-builder)

A simple and convenient way to build allowed list of Eloquent models according to policies.

Description
-----------

[](#description)

In many apps you use Laravel's Policies for checking if an user is allowed to handle a resource. Usually, in those apps, you also have to get lists of allowed resources accordingly to policies.

By using this package you store the business logic of filtering lists of resources directly in the policies and you get such lists by simply calling the method `acl` when using an Eloquent Builder.

Documentation
-------------

[](#documentation)

### Version Compatibility

[](#version-compatibility)

LaravelPolicyBuilder13.x13.x12.x12.x11.x11.x10.x10.x9.x5.x8.x4.x7.x3.x6.x2.x5.8.x1.4.x5.7.x1.3.x5.6.x1.2.x5.5.x1.1.x### Installation

[](#installation)

Add gecche/laravel-policy-builder as a requirement to composer.json:

```
{
    "require": {
        "gecche/laravel-policy-builder": "13.*"
    }
}
```

This package makes use of the discovery feature.

### Basic usage

[](#basic-usage)

#### Define the business logic of building allowed lists of models in the policies

[](#define-the-business-logic-of-building-allowed-lists-of-models-in-the-policies)

Let us suppose to have an `Author` Model class and a standard `AuthorPolicy` class for defining ability methods as usual.

Simply add directly in the `AuthorPolicy` class the business logic for filtering lists of Author. E.g.:

```
class AuthorPolicy
{
    use HandlesAuthorization;

    /**
     *
     * - All authors are allowed to users 1 and 2
     * - Only italian authors are allowed to users 3 and 4
     * - Only non-italian authors are allowed to other users
     *
     * @param   \Illuminate\Contracts\Auth\Authenticatable|null $user
     * @param  Builder $builder
     * @return mixed
     */
    public function acl($user, $builder)
    {

        switch ($user->getKey()) {
            case 1:
            case 2:
                return $builder;
            case 3:
            case 4:
                return $builder->where('nation','IT');
            default:
                return $builder->where('nation','','IT');

        }

    }
```

#### Get the allowed list of models for an user

[](#get-the-allowed-list-of-models-for-an-user)

Now, to get the allowed list of authors for the currently authenticated user, simply do:

```
    Author::acl()->get();
```

If you want the list for the user 3, simply do:

```
    $userForAcl = User::find(3);
    Code::acl($userForAcl)->get();
```

Now the lists returns only italian authors.

#### Default list

[](#default-list)

Let us consider another `Book` model for which either the `acl` method has not been defined in its `BookPolicy` or there is no `BookPolicy` at all.

If we do:

```
    Book::acl()->get();
```

we get the empty list of models for any user.

### Beyond the basics

[](#beyond-the-basics)

Once installed, other than the `acl` Eloquent Builder macro, the package provides the `PolicyBuilderServiceProvider` (together with the `PolicyBuilder` facade) which performs the underlying machinery for linking the Eloquent Builder with the policies (by wrapping the Laravel's `Gate` provider) and it offers some useful methods.

#### Basic default builder methods: `all` and `none`

[](#basic-default-builder-methods-all-and-none)

The PolicyBuilder has two public methods, namely `all` and `none` which basically, given an Eloquent Builder adn (optionally) the model class name, return respectively the list of all available models (no filters at all) and the empty list.

The return of above methods can be customized by using the `setAllBuilder` and `setNoneBuilder` methods.

In the following example we change the previous `AuthorPolicy` class with the
PolicyBuilder's `all` method, but we leave the same semantics as before.

```
use Gecche\PolicyBuilder\Facades\PolicyBuilder;
use App\Models\Author;

class AuthorPolicy
{
    use HandlesAuthorization;

    /**
     *
     * - All authors are allowed to users 1 and 2
     * - Only italian authors are allowed to users 3 and 4
     * - Only non-italian authors are allowed to other users
     *
     * @param   \Illuminate\Contracts\Auth\Authenticatable|null $user
     * @param  Builder $builder
     * @return mixed
     */
    public function acl($user, $builder)
    {

        switch ($user->getKey()) {
            case 1:
            case 2:
                return PolicyBuilder::all($builder,Author::class);
            case 3:
            case 4:
                return $builder->where('nation','IT');
            default:
                return $builder->where('nation','','IT');

        }
    }
```

As before for both user 1 and 2 the full list of authors is returned if we do:

```
    Author::acl()->get();
```

However we can set globally a different semantics for the PolicyBuilder's `all` method, e.g.:

```
PolicyBuilder::setAllBuilder(function ($builder,$modelClassName = null) {
    if ($modelClassName == Author::class) {
        return $builder->where('id','',1);
    }
    return $builder;
});
```

In the above example when the `all` method is called the list of authors lacks the author with id 1.

The same can be done with the PolicyBuilder's `none` method.

#### Changing the "context"

[](#changing-the-context)

Usually, an user either can access or not a certain model. But there are some cases in which, under certain "context", we need to built a list of allowed models which is different than the standard one.

For example, an user can view the whole list of `Author` models in the library, but it cannot edit all of them. So we want to build also the list of books which the user can edit and we are changing to the `editing` "context" with a different business logic for building the list.

In that case, simply pass the "context" to the builder:

```
    //returning the 'editing' list for the authenticated user
    Author::acl(null,'editing')->get();
    //or returning the 'editing' list for user 2
    $userForAcl = User::find(2);
    Author::acl($userForAcl,'editing')->get();
```

In the AuthorPolicy you have to define accordingly the `aclEditing` method as done before for the `acl` one.

#### `beforeAcl` PolicyBuilder and Policy methods

[](#beforeacl-policybuilder-and-policy-methods)

Like the Laravel's Gate `before` method, PolicyBuilder has a `beforeAcl` method for registering "beforeAcl" callbacks. If a registered callback returns an Eloquent Builder, further elaboration is not needed and thus no policy is needed at all. E.g.:

```
/*
 * - For user 1 (superuser) it returns the full list of models for any model and context
 * - For all the other registerd users, it returns the full list of models for Book
 */
PolicyBuilder::beforeAcl(function ($user, $modelClassName, $context, $builder) {

    if (!$user) {
        return;
    }

    if ($user->getKey() == 1 || $modelClassName == Book::class) {
        return PolicyBuilder::all($builder,$modelClassName);
    }

    return;
});
```

A very similar `beforeAcl` method can also be placed into a single policy and it will be handled by the `PolicyBuilderServiceProvider` before elaborating any other method in the policy.

```
use Gecche\PolicyBuilder\Facades\PolicyBuilder;
use App\Models\Author;

class AuthorPolicy
{
    use HandlesAuthorization;

    public function beforeAcl($user, $context, $builder) {

        if (is_null($user)) {
            return PolicyBuilder::none($builder,Author::class);
        }

        return null;

    }

    ...

```

In the above example, the guest user has no access at all to the authors.

###  Health Score

49

—

FairBetter than 94% of packages

Maintenance83

Actively maintained with recent releases

Popularity22

Limited adoption so far

Community9

Small or concentrated contributor base

Maturity67

Established project with proven stability

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~94 days

Recently: every ~185 days

Total

25

Last Release

90d ago

Major Versions

v4.0 → v5.02022-02-08

v5.1 → v10.02023-02-20

v10.x-dev → v11.x-dev2024-03-19

v11.0 → v12.02025-02-26

v12.x-dev → v13.02026-03-29

### Community

Maintainers

![](https://avatars.githubusercontent.com/u/11093763?v=4)[gecche](/maintainers/gecche)[@gecche](https://github.com/gecche)

---

Top Contributors

[![gecche](https://avatars.githubusercontent.com/u/11093763?v=4)](https://github.com/gecche "gecche (72 commits)")

---

Tags

acleloquentfiltering-listslaravelpermissionsphppoliciespolicylaravelmodeleloquentaclpermissionsgate

###  Code Quality

TestsPHPUnit

### Embed Badge

![Health badge](/badges/gecche-laravel-policy-builder/health.svg)

```
[![Health](https://phpackages.com/badges/gecche-laravel-policy-builder/health.svg)](https://phpackages.com/packages/gecche-laravel-policy-builder)
```

###  Alternatives

[silber/bouncer

Eloquent roles and abilities.

3.6k4.6M27](/packages/silber-bouncer)[jeremykenedy/laravel-roles

A Powerful package for handling roles and permissions in Laravel. Supports Laravel 5.3 up to 13.

1.0k849.6k7](/packages/jeremykenedy-laravel-roles)[anourvalar/eloquent-serialize

Laravel Query Builder (Eloquent) serialization

11222.5M32](/packages/anourvalar-eloquent-serialize)[kodeine/laravel-acl

Light-weight role-based permissions for Laravel 5 built in Auth system.

779358.1k5](/packages/kodeine-laravel-acl)[waad/laravel-model-metadata

A robust Laravel package for handling metadata with JSON casting, custom relation names, and advanced querying capabilities.

854.1k](/packages/waad-laravel-model-metadata)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)