Model Policies

The best way to incorporate access control for application features is with Laravel's Model Policies.

Using Policies allows you to simplify things by abstracting your "control" rules into one place, where your application logic can be combined with your permission rules.

Jeffrey Way explains the concept simply in the Laravel 6 Authorization Filters and policies videos and in other related lessons in that chapter. He also mentions how to set up a super-admin, both in a model policy and globally in your application.

Here's an example of a PostPolicy which could control access to Post model records:

<?php
namespace App\Policies;

use App\Models\Post;
use App\Models\User;
use Illuminate\Auth\Access\HandlesAuthorization;

class PostPolicy
{
    use HandlesAuthorization;

    public function view(?User $user, Post $post)
    {
        if ($post->published) {
            return true;
        }

        // visitors cannot view unpublished items
        if ($user === null) {
            return false;
        }

        // admin overrides published status
        if ($user->can('view unpublished posts')) {
            return true;
        }

        // authors can view their own unpublished posts
        return $user->id == $post->user_id;
    }

    public function create(User $user)
    {
        return ($user->can('create posts'));
    }

    public function update(User $user, Post $post)
    {
        if ($user->can('edit own posts')) {
            return $user->id == $post->user_id;
        }

        if ($user->can('edit all posts')) {
            return true;
        }
    }

    public function delete(User $user, Post $post)
    {
        if ($user->can('delete own posts')) {
            return $user->id == $post->user_id;
        }

        if ($user->can('delete any post')) {
            return true;
        }
    }
}