Authorization

Introduction

Authorization is powered by Gate + Policy primitives (jcc-express-mvc/lib/Authorization):

• GateFacade.define(...) for named abilities
• GateFacade.policy(Model, PolicyClass) for model policies
• GateFacade.can(...) and GateFacade.authorize(...) for checks
• AuthorizeMiddleware.authorize(...) for route-level ability enforcement

Global helpers are also available: Gate, can(...), authorize(...).

Define gates and policies

In a provider (for example app/Providers/AuthServiceProvider.ts):

Gate decisions deny by default when ability/policy is not found.

Policy classes

Extend Policy and implement ability methods:

Supported conventional methods include viewAny, view, create, update, delete, restore, forceDelete.

Check permissions in code

Using helpers:

Using facade directly:

authorize(...) throws AuthorizationException when denied.

Route middleware authorization

Use the middleware factory:

Behavior:

• unauthenticated -> 401 JSON or redirect to login
• missing model -> 404
• unauthorized -> 403

Integration with error handling

Authorization failures raise AuthorizationException, handled by AppErrorHandler as:

• JSON requests: 403 { message }
• web requests: flash + redirectBack()

Summary

• Register gates/policies in a provider.
• Use can(...) for boolean checks and authorize(...) for enforced checks.
• Use AuthorizeMiddleware when authorization should happen at route edge.