docs/attribute-authorize.md
The #[Authorize] attribute integrates Laravel's Gate system directly into your Livewire actions. It ensures that an action is only executed if the user has the necessary permissions, throwing a 403 Forbidden response otherwise.
Apply the #[Authorize] attribute to any action method. Pass the ability name and an optional argument:
<?php // resources/views/components/post/⚡edit.blade.php
use Livewire\Attributes\Authorize;
use Livewire\Component;
use App\Models\Post;
new class extends Component {
public Post $post;
#[Authorize('update', 'post')] // [tl! highlight]
public function save()
{
$this->post->save();
}
};
<button wire:click="save">
Update Post
</button>
When save() is called, Livewire automatically checks if the current user is authorized to update the $post model stored on the component.
The attribute resolves the object to authorize against in the following order:
#[Authorize('view-dashboard')]).create permissions where no instance exists yet (e.g., #[Authorize('create', Post::class)]).public Post $post).When authorizing based on a method parameter, you must type-hint the parameter so Livewire knows which model to resolve:
<?php // resources/views/components/⚡comment-manager.blade.php
use Livewire\Attributes\Authorize;
use Livewire\Component;
use App\Models\Comment;
new class extends Component {
#[Authorize('delete', 'comment')] // [tl! highlight]
public function deleteComment(Comment $comment) // [tl! highlight]
{
$comment->delete();
}
};
[!important] If you resolve a model via a method parameter, a type-hint (e.g.,
Comment $comment) is required. Without it, Livewire cannot determine which model to resolve and the authorization check will fail.
When authorizing actions using policies, you may pass an array as the second argument. The first element in the array will be used to determine which policy should be invoked, while the rest of the array elements are passed as parameters to the policy method.
<?php
use Livewire\Attributes\Authorize;
use Livewire\Component;
use App\Models\Comment;
use App\Models\Post;
new class extends Component {
public Post $post;
#[Authorize('create', [Comment::class, 'post'])] // [tl! highlight]
public function createComment()
{
$this->post->comments()->create([
'body' => 'New comment'
]);
}
};
The attribute is repeatable, so you can stack multiple authorization checks on a single method:
#[Authorize('create', Post::class)]
#[Authorize('update', 'post')]
public function save()
{
// Both checks must pass...
}
[!warning] The
#[Authorize]attribute only protects server-side execution of an action. It does not hide UI elements in your Blade template.
You should still use Blade's @can directives to hide buttons the user isn't allowed to use:
@can('update', $post)
<button wire:click="save">Save</button>
@endcan
For more information on defining abilities and policies, see the Laravel Authorization documentation.