Digging Deeper

Gates

Gates is the way to inform your api consumers what actions are allowed on different models.

If you are not familiar with what a "Gate" is, please have a look at the Laravel Documentation.

Laravel Rest Api takes advantage of this feature to provide your frontend users direct access to the current authenticated user rights.

Using gates

Gates are enabled by default. You just have to provide the one you want in your search endpoint.

If you don't want to use this feature you have two ways to disable it:

Globally

In your config/rest.php file, you can directly specify to disable this feature:

[
    // ...
    'gates' => [
        'enabled' => false, // Switch this to false
    ]
    // ...
]

Resource

If you want to disable this feature for certain resources only, you can use the DisableGates trait on your resource file:

UserResource.php
class UserResource extends Resource
{
    use \Lomkit\Rest\Concerns\Resource\DisableGates;
    
    // ...
}

Policy messages in gates

To surface policy messages explaining authorization failures, first set the config rest.gates.message.enabled to true. Enabling this changes the gates payload shape returned by the search endpoint and may require frontend updates.

In your policy, return an authorization Response:

use App\Models\Post;
use App\Models\User;
use Illuminate\Auth\Access\Response;
 
/**
 * Determine if the given post can be updated by the user.
 */
public function update(User $user, Post $post): Response
{
    return $user->id === $post->user_id
        ? Response::allow()
        : Response::deny('You do not own this post.');
}

This changes the search gates payload by adding a message and allowed keys:

{
  "data": [
    {
      "id": 1,
      "gates": {
        "authorized_to_update": {
          "allowed": false,
          "message": "You do not own this post."
        }
      }
    }
  ]
}