Authorization with Policies: Who Can Do What

Authorization ensures users only access what they are allowed to.

## Create policy

```bash
php artisan make:policy PostPolicy --model=Post
```

## Example rule

```php
public function update(User $user, Post $post): bool {
  return $user->id === $post->user_id;
}
```

## Use in controller

```php
$this->authorize('update', $post);
```

## Flow

```mermaid
flowchart TD
  A[Request] --> B[Controller]
  B --> C[Policy]
  C -->|Allow| D[Continue]
  C -->|Deny| E[403]
```

Policies protect your business rules.

In the next tutorial, we will build JSON APIs using Laravel.