Gates
If you are not familiar with what a "Gate" is, please have a look at the Laravel Documentation.
Laravel Rest Api takes advantage of this feature to provide your frontend users direct access to the current authenticated user rights.
Using gates
Gates are enabled by default. You just have to provide the one you want in your search endpoint.
If you don't want to use this feature you have two ways to disable it:
Globally
In your config/rest.php file, you can directly specify to disable this feature:
[
// ...
'gates' => [
'enabled' => false, // Switch this to false
]
// ...
]
Resource
If you want to disable this feature for certain resources only, you can use the DisableGates trait on your resource file:
class UserResource extends Resource
{
use \Lomkit\Rest\Concerns\Resource\DisableGates;
// ...
}
Policy messages in gates
To surface policy messages explaining authorization failures, first set the config rest.gates.message.enabled to true.
Enabling this changes the gates payload shape returned by the search endpoint and may require frontend updates.
In your policy, return an authorization Response:
use App\Models\Post;
use App\Models\User;
use Illuminate\Auth\Access\Response;
/**
* Determine if the given post can be updated by the user.
*/
public function update(User $user, Post $post): Response
{
return $user->id === $post->user_id
? Response::allow()
: Response::deny('You do not own this post.');
}
This changes the search gates payload by adding a message and allowed keys:
{
"data": [
{
"id": 1,
"gates": {
"authorized_to_update": {
"allowed": false,
"message": "You do not own this post."
}
}
}
]
}
Hooks
Hooks are designed to let you the ability to react on model's lifecycle of your models.
Authorizations
Laravel Rest Api exposes a lot of information and it is crucial for your applications to secure the access to resources. Thankfully, Laravel Rest Api seamlessly integrates with Laravel, ensuring a straightforward approach to securing your API.