In this episode, we dive into the basics of handling authorization in our application. We start by outlining why authorization matters—essentially, it's about ensuring that only users who are supposed to can perform certain actions, like posting or updating comments.
We get hands-on by creating a simple policy (using Laravel's policies) to control who can create a post. For this example, we decide that users must have verified their email to be allowed to post. We walk through setting up this policy, wiring it into our controllers, and making sure it gets registered properly so Laravel recognizes it.
Once the backend restriction is in place, we test it out—when a user without a verified email tries to post, they see an error. Cool, but there's a catch: even though they're blocked on the backend, the form is still visible on the frontend, which isn't ideal.
To fix this, we show how to pass down the user's permissions from the backend to the frontend using Inertia.js. We update our controllers to send a simple can
object that tells the frontend what actions the user is allowed to perform. On the Vue side, we use this data to conditionally render the post form only if the user has permission.
By the end of this episode, we've got both backend and frontend checks in place and the UI now matches the user's permissions—if your email isn't verified, you don't even see the form. Simple, but super important for building a secure app!