An Authentication and Authorization package for Laravel 4







Authorize is a port of the well known Authority library Matthew Machuga and Jesse O'brien, to Laravel 4. Most of the functions are similar with some enhancements. This library patches the system Auth class with super powers, and is meant to verify the authentication as well as the authority of the current system user.

!docs Authorize

Rommie: Would you like some docs?


This package depends on php5.4 advanced closures. php5.3 is not supported nor will be. to install add the package dependancy to your composer json file:

"wishfoundry/authorize": "dev-master"

and in your app/config/app.php file replace the default auth service provider



An example migration is provide in src/migrations but is not required. Please customize to suit your needs An matching example trait is provided for you to use in your User models as well. Simply include with

class User {
use Wishfoundry\Authorize\AuthorizeUserRoleTrait;

or customize to suit your needs.


Authorize does not come with and rules loaded by default. Rules can be added dynamically at any time, thus saving needless calls to the database. The recommended method of adding rules is to set up a route filter:

In a global filter you could setup some basic aliases

	Auth::addAlias('Administrate', ['create', 'view', 'modify', 'delete', 'flag', 'unflag']);
	Auth::addAlias('Moderate',     ['view', 'delete', 'flag', 'unflag']);
	Auth::addAlias('AllButView',   ['create', 'modify', 'delete', 'flag', 'unflag']);

Then you can define your rules in a named filter

Route::filter('admin', function()
	if (Auth::guest())
	    Auth::deny('AllButView', ['Post', 'Comment']);

	     * Rule actions can be any arbitrary string you decide
	     * except for the reserved word all, which is defined internally
	    Auth::deny('all', 'User');

    // Only make a DB call if user is logged in
	elseif (Auth::user()->hasRole('admin) )
	    Auth::allow('Administrate', ['User', 'Post', 'Comment']);

Usage is simple and elegant

if(Auth::can('delete', 'User')
if( Auth::cannot('view', 'Comment') )
    return Redirect::to('unauthorized');
// Or by aliases
if(Auth::can('Administrate', 'Post')) ...

for more advanced useage, Closures can be supplied:

Auth::allow('delete', 'Post')->when(function($post){
    return $this->user()->id == $post->user_id;

Which passed a variable as:

if( Auth::can('delete', 'Post', $post) )