PHPackages orottier/authorization-required - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. orottier/authorization-required ActiveLibrary[Authentication & Authorization](/categories/authentication) orottier/authorization-required =============================== A simple and efficient authorization manager for the Laravel framework 2.0.3(9y ago)01.1kMITPHPPHP >=5.3.0 Since Jun 30Pushed 9y ago1 watchersCompare [ Source](https://github.com/orottier/authorization-required)[ Packagist](https://packagist.org/packages/orottier/authorization-required)[ RSS](/packages/orottier-authorization-required/feed)WikiDiscussions master Synced 2w ago READMEChangelog (5)Dependencies (3)Versions (6)Used By (0) AuthorizationRequired ===================== [](#authorizationrequired) A simple and efficient authorization package for the Laravel framework What this package can and cannot do ----------------------------------- [](#what-this-package-can-and-cannot-do) This packages uses the available Eloquent hooks to impose rules for reading and writing your Models. No more, no less. Will protect: - Read access & creation of new models - Updates and deletes of models, invoked on the model itself Will not protect: - Raw queries: `DB::table('users')->delete()` - Mass updates and deletes: `User::where('role', 'admin')->delete()` Please note the fundamental difference between ``` ✅ User::find(12)->delete(); // Invokes delete on the User Model ❌ User::where('id', 12)->delete() // Invokes delete on the Eloquent Builder ❌ DB::table('users')->where('id', 12)->delete() // Invokes delete on the Query Builder ❌ DB::delete("DELETE FROM `users` WHERE `id` = 12") // Executes a raw query ``` This package will only protect guard deletes/updates of the first type. The latter three will pass no matter what rules you impose. Installation via Composer ------------------------- [](#installation-via-composer) Note: this package can only be used in combination with the **Laravel** framework. Use `composer` to use AuthorizationRequired in your project ``` composer require orottier/authorization-required # (use version `1.*` for Laravel `5.2` and lower) # (use version `2.*` for Laravel `5.3` and above) ``` How it works ------------ [](#how-it-works) The Laravel models you want to protect should include the `AuthorizationRequired` trait and should have an [authorization policy](http://laravel.com/docs/master/authorization) defined for `create`, `update` and `delete` actions. The following method is placed on your model: ``` public static function authorizationReadScope(\Illuminate\Database\Eloquent\Builder $query); ``` Use this [query scope](http://laravel.com/docs/master/eloquent#query-scopes) to limit the read access of your model. Together with the authorization policy, the rules of *reading*, *updating*, *creating* and *deleting* the model are defined. ### Read behaviour [](#read-behaviour) Calling `Model::find` will simply yield null if the the rules prevent the object to be seen (as if it did not exist). Your application has probably been configured to return a 404 status code in these cases. ### Write behaviour (update, create, delete) [](#write-behaviour-update-create-delete) If your policy rules forbid writing the model, an `AuthorizationRequired\PermissionException` is thrown. Specifically: `UpdatePermissionException`, `CreatePermissionException` and `DeletePermissionException`. Your application can convert this into a nice 403 page using the `render` function in `App\Exception`. Note that by Laravel's defaults, a missing rule will not allow any operations. Also, there must be a logged in user for any of the policies to be accepted. Example usage ------------- [](#example-usage) To illustrate the usage of this package, we will put authorization rules on a simple application that allows users to post and modify blog items (referred to as `Post`). To put authorization rules on an Eloquent model, include the `AuthorizationRequired` trait: ```