Page Contents

Checking AuthorizationΒΆ

Once you have applied the Authorization Middleware to your application and added an identity to the request, you can start checking authorization. The middleware will wrap your request identity with an IdentityDecorator that adds authorization related methods:

// Get the identity from the request
$user = $this->request->getAttribute('identity');

// Check authorization on $article
if ($user->can('delete', $article)) {
    // Do delete operation

If your policies return Policy Result Objects be sure to check their status as can() returns the result instance:

// Assuming our policy returns a result.
$result = $user->can('delete', $article);
if ($result->getStatus()) {
    // Do deletion

You can also use the identity to apply scopes:

// Get the identity from the request
$user = $this->request->getAttribute('identity');

// Apply permission conditions to a query
$query = $user->applyScope('index', $query);

The IdentityDecorator will forward all method calls, array access, and property access to the decorated identity object. If you need to access the underlying identity directly use getOriginalData():

$originalUser = $user->getOriginalData();

You can pass the $user into your models, services or templates allowing you to check authorization anywhere in your application easily. See the Identity Decorator section for how to customize or replace the default decorator.

The AuthorizationComponent can be used in controller actions to streamline authorization checks that raise exceptions on failure.