Writing authorisation logic by hand is tedious and easy to get wrong — especially when policies span multiple roles, ownership rules, and edge cases. Claude can generate the full policy class from a plain-English description of your rules.
Describe your model and who should be allowed to do what:
Generate a Laravel Policy for a Post model. Rules:
- Guests can view published posts only
- Authors can create, update, and delete their own posts
- Editors can update any post but not delete
- Admins can do everything
Claude will generate a complete policy class with all the right method signatures, ownership checks, and return types:
public function update(User $user, Post $post): bool
{
return $user->isAdmin()
|| $user->isEditor()
|| $user->id === $post->user_id;
}
It will also write the registration call for AuthServiceProvider and remind you to attach the policy to the model with @can directives or $this->authorize() in your controllers.
For simpler one-off checks, ask Claude to write Gates instead:
Add a Gate that prevents users from posting
if their account is less than 7 days old.
You can go further and ask Claude to generate Pest or PHPUnit tests that cover every policy method, so you have full coverage on your authorisation layer from day one.
Authorisation bugs are security bugs — get Claude to write and test your policies before they ship.
Log in to leave a comment.
The /security-review command scans your uncommitted changes for injection vectors, auth gaps, hardcoded secrets, and other common vulnerabilities.
The SessionStart hook fires when any session begins or resumes, making it ideal for loading environment variables and running one-time setup scripts.
Ask Claude to write property-based tests for your functions using fast-check — it identifies the mathematical invariants in your code and generates tests that cover inputs you'd never enumerate by hand.