API platform is compatible with Laravel authorization mechanism. Once a gate is defined, API Platform will automatically detect your policy.
// app/Models/Book.php
use ApiPlatform\Metadata\Patch;
#[Patch]
class Book extends Model
{
}
API Platform will detect the operation and map it to a specific method in your policy according to the rules defined in this table:
| Operation | Policy |
|---|---|
| GET collection | viewAny |
| GET | view |
| POST | create |
| PATCH | update |
| DELETE | delete |
| PUT | update or create if the resource doesn’t already exist |
If your policy methods do not match Laravel’s conventions, you can always use the policy property on an operation attribute to enforce this policy:
// app/Models/Book.php
namespace App\Models;
use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Patch;
use Illuminate\Database\Eloquent\Model;
-#[ApiResource]
#[ApiResource(
paginationItemsPerPage: 10,
+ operations: [
+ new Patch(
+ policy: 'myCustomPolicy',
+ ),
+ ],
)]
class Book extends Model
{
}
You also can link a model to a policy:
use App\Models\Book;
use App\Tests\Book\BookPolicy;
use Illuminate\Support\Facades\Gate;
Gate::guessPolicyNamesUsing(function (string $modelClass): ?string {
return Book::class === $modelClass ?
BookPolicy::class :
null;
});
Usually, you will use Sanctum and add a middleware on secured routes:
// app/Models/Book.php
use ApiPlatform\Metadata\Patch;
#[Patch(middleware: 'auth:sanctum')]
class Book extends Model
{
}
Made with love by
Les-Tilleuls.coop can help you design and develop your APIs and web projects, and train your teams in API Platform, Symfony, Next.js, Kubernetes and a wide range of other technologies.
Learn more