Checking Authorization
Once you have applied the middleware and attached an identity to the request, you can start checking authorization. The middleware decorates the request identity with authorization-related helper methods.
You can pass the identity into models, services, or templates and check permissions anywhere in your application. See the identity decorator section for customization options.
Checking Authorization for a Single Resource
Use can() to check authorization for a single resource, typically an ORM entity or domain object:
$user = $this->request->getAttribute('identity');
if ($user->can('delete', $article)) {
// Do delete operation
}2
3
4
5
If your policies return result objects, use canResult() and inspect the status:
$result = $user->canResult('delete', $article);
if ($result->getStatus()) {
// Do deletion
}2
3
4
Applying Scope Conditions
When working with collections such as paginated queries, apply authorization conditions through scopes so only accessible records are returned:
$user = $this->request->getAttribute('identity');
$query = $user->applyScope('index', $query);2
In controller actions, AuthorizationComponent can streamline checks that should raise exceptions on failure.