New Route::resource()->authorize(Model::class)

[khalyomede]

Currently, only Route::{get,post,put,patch,delete}() allows to chain ->can("verb", Model::class) after it.

To authorize resources, we have to call the "can" middleware (or Route::group(["middleware" => "..."])) by hand, and the syntax is less handy because it does not understand the second parameter as the model:

Route::middleware("can:create," . Post::class)->group(function() {
  Route::resource("post", PostController::class)->only(["create", "store"]);
});

Route::middleware("can:viewAny," . Post::class)->group(function() {
  Route::resource("post", PostController::class)->only("index");
});

Route::middleware("can:view,post")->group(function() {
  Route::resource("post", PostController::class)->only("show");
});

Route::middleware("can:edit,post")->group(function() {
  Route::resource("post", PostController::class)->only(["edit", "update"]);
});

Route::middleware("can:delete,post")->group(function() {
  Route::resource("post", PostController::class)->only("destroy");
});

I propose to create a shorthand ->authorize(), since policies are generated with all the necessary common methods to validate CRUD action on a model, allowing to reduce all the code above to:

Route::resource("post", PostController::class)->authorize(Post::class);

This would find the policy(ies) attached to this model and validate each actions according to the route resource in this fashion:

Method	route	policy
GET	/post	PostPolicy::viewAny()
GET	/post/{post}	PostPolicy::view()
GET	/post/create	PostPolicy::create()
POST	/post	PostPolicy::create()
GET	/post/{post}/edit	PostPolicy::update()
PUT	/post/{post}	PostPolicy::update()
DELETE	/post/{post}	PostPolicy::delete()

We could, in the same manner as we can customize Route::resource(), offer the user to switch to sport mode and tell exactly how to resolves routes VS policies:

Route::resource("post", PostController::class)->authorize([
  "index" => [PostPolicy::class, "viewAny"],
  "show" => [PostPolicy::class, "view"];
  "create" => [AnotherPostPolicy::class, "create"],
  "store" => [AnotherPostPolicy::class, "create"],
  "edit" => [PostPolicy::class, "update"],
  "update" => [PostPolicy::class, "update"],
  "destroy" => [PostPolicy::class, "delete"];
]);

And we can allow to only override what should be manually resolved, keeping the rest automatically resolved:

Route::resource("post", PostController::class)->authorize(Post::class, [
  "destroy" => [PostPolicy::class, "destroy"];
]);

Route::get("post/{post}/delete", [PostController::class, "delete"])->name("post.delete")->can("delete", Post::class);

[khalyomede]

Seems like, we could just simply use the existing authorizing resource call. Sounds like a win, but it would lack ability to customize it.