When checking for permission, you should always be as explicit as you can. For example, checking a user has the custom.view
or custom.manage
permissions.
Guarding content in a Blade file:
@can('custom.view')
...
@endcan
@canany(['orders', 'custom'])
...
@endcan
Checking the admin user has permission to access an endpoint:
Route::get('/my-module', [MyModuleController::class, 'index'])
->name('admin.modules.my-module')
->middleware('can:custom.view');
Route::get('/my-module/manage', [MyModuleController::class, 'manage'])
->name('admin.modules.my-module.manage')
->middleware('can:custom.manage');
Guarding the execution of code in a Controller:
if ($this->can('custom')) {
// ...
}
if ($this->canAny(['orders', 'custom'])) {
// ...
}