Laravel authorization via middleware

Looking through the docs the can middleware doesn't really lend itself to resources. You could use multiple middleware calls on the group but this would mean that your use would require all privileges to access the routes.

Your alternatives are:

Add $this->authorize(new App\Project) to your index and create methods in your controller. Laravel will use reflection to figure out what policy to use based on the method it is called from.

Or

In the __construct() method of your controller you could use:

$this->authorizeResource(App\Project::class); 

This will require you to create update, view and delete methods inside your Policy class. Each of these methods will be passed User $user, Project $project e.g.

public function view(User $user, Project $project)
{
   return true;
}

FYI, if you leave off the method name with authorize() or you use authorizeResource() Laravel will map certain method names to different policy methods i.e. :

[
  //ControllerMethod => PolicyMethod
    'show'    => 'view',
    'create'  => 'create',
    'store'   => 'create',
    'edit'    => 'update',
    'update'  => 'update',
    'destroy' => 'delete',
];

You can override this by adding a resourceAbilityMap() method to your controller and returning a different array to the one above.

Hope this helps!