Fortress is a powerful Laravel package designed to streamline attribute-based authorization. By leveraging the #[Authorize] attribute, it provides a declarative and clean approach to securing your Laravel application. Whether managing roles, permissions, gates, or ownership rules, Fortress ensures security is flexible, robust, and easy to implement.
- Attribute-Based Authorization: Use
#[Authorize]attributes for roles, permissions, gates, and ownership checks. - Simplifies Middleware Logic: Declarative syntax removes clutter from middleware, keeping it clean and readable.
- Ownership Validation: Validate ownership with configurable keys and default behaviors.
- Laravel 11 Support: Fully compatible with Laravel 11 and follows PSR standards.
- Customizable Configuration: Flexible configuration for roles, permissions, gates, and ownership rules.
You can install the package via Composer:
composer require laravelplus/fortressAppend Middleware where you need it:
$middleware->web(append: [
...
Laravelplus\Fortress\Middleware\AttributeAuthorizationMiddleware::class,
]);
To publish the configuration file, run:
php artisan vendor:publish --provider="Laravelplus\\Fortress\\FortressServiceProvider"The configuration file will be published at config/fortress.php. Customize default values for ownership keys, gates, and more.
Add the #[Authorize] attribute to your controller methods to enforce authorization:
use Laravelplus\Fortress\Attributes\Authorize;
class PostController
{
#[Authorize(
public: false,
roles: ['admin', 'editor'],
permissions: ['create', 'update'],
owner: App\Models\Post::class,
overrideKey: 'author_id'
)]
public function update(Request $request, $id)
{
// Update logic
}
}- Roles: Ensures the user has one of the specified roles (
adminoreditor). - Permissions: Validates the user has
createorupdatepermissions. - Ownership: Checks if the authenticated user is the owner of the
Postmodel by comparingauthor_idwith the user'sid.
Allow unauthenticated users to access a method:
#[Authorize(public: true)]
public function show($id)
{
// This method is accessible by everyone
}Restrict access based on roles and permissions:
#[Authorize(roles: ['manager'], permissions: ['approve-leave'])]
public function approveLeave(Request $request)
{
// This method is accessible only by managers with approve-leave permission
}Restrict access to resources owned by the authenticated user:
#[Authorize(owner: App\Models\Comment::class, overrideKey: 'user_id')]
public function editComment(Request $request, $id)
{
// Accessible only if the comment belongs to the authenticated user
}Use Laravel gates to control access:
#[Authorize(gates: 'edit-settings')]
public function settings()
{
// This method is accessible if the "edit-settings" gate returns true
}To run the package's test suite:
composer testExample output:
PHPUnit 11.0.0 by Sebastian Bergmann and contributors.
............. 22 / 22 (100%)
Time: 00:00.410, Memory: 26.00 MB
OK (22 tests, 60 assertions)See the CHANGELOG for details about recent changes.
Contributions are welcome! Please see the CONTRIBUTING file for details on how to contribute.
If you discover any security-related issues, please email [email protected] instead of using the issue tracker.
- Author: Nejcc
- Contributors: All Contributors
This package is licensed under the MIT License. See the LICENSE file for details.
You can download the package here:
Packagist - Laravel Fortress