October 26th, 2023

The difference between Policies and FormRequest::authorize()

The difference between Policies and FormRequest::authorize()

In Laravel, both policies and the FormRequest::authorize() method are used to control access to specific resources or actions within your application. However, they serve slightly different purposes and are typically used in different contexts.


Policies are a way to encapsulate and centralize authorization logic for specific models. You define a policy class for a model, and in that class, you specify the authorization rules for that model's actions. For example, you might create a PostPolicy for the Post model to define who can create, view, update, or delete posts.

Policies are typically used in conjunction with the authorize method of the controller. In your controller, you can call the authorize method to check if a user is authorized to perform a specific action on a model. The authorization logic is then defined in the associated policy.

Policies are a great way to keep your authorization logic organized and maintainable, especially as your application grows and you have more complex authorization requirements.

1public function update(Post $post)
3 $this->authorize('update', $post);
4 // The user is authorized to update the post, proceed with the update.

The authorize() method

FormRequest classes are used for form validation and request authorization. When you create a new request using php artisan make:request RequestName, Laravel generates a FormRequest class for you. In this class, you can define validation rules in the rules() method and authorization logic in the authorize() method.

The authorize() method in a FormRequest is where you specify whether the authenticated user is allowed to perform the associated action. If the authorize() method returns true, the request is allowed to proceed; otherwise, it is denied.

FormRequest::authorize() is typically used for basic authorization checks, especially when you want to restrict access to a specific controller action based on simple conditions, such as whether the user is an admin or the owner of a resource.

1public function authorize()
3 return $this->user()->isAdmin();

In summary, policies are more suited for encapsulating and organizing complex authorization logic related to models, while FormRequest::authorize() is used for simple authorization checks directly associated with controller actions. You can use both approaches in your Laravel application, and the choice between them depends on the complexity of your authorization requirements and your application's architecture.

Statamic Ninja


Marian Pop

PHP / Laravel Developer. Writing and maintaining @LaravelMagazine. Host of "The Laravel Magazine Podcast". Pronouns: vi/vim.

Subscribe to our newsletter

Get latest news, tutorials, community articles and podcast episodes delivered to your inbox.

Weekly articles
We send a new issue of the newsletter every week on Friday.
No spam
We'll never share your email address and you can opt out at any time.