Filament Plugins

Purchase

Authorization & policies

The Media Library uses a flexible authorization model that lets you control which users can perform which operations on files and folders. If you are upgrading from V3, your existing policies are automatically detected and bridged – no migration is required.

The V4 authorization model is built around FileAbility – an enum that represents every operation a user can perform on a file or folder. The available abilities are:

Ability Description
FileAbility::Create Upload a new file or create a folder.
FileAbility::View View a file or folder.
FileAbility::Update Edit metadata.
FileAbility::Rename Rename a file or folder.
FileAbility::Delete Delete a file or folder.
FileAbility::Download Download a file.
FileAbility::Duplicate Duplicate a file or folder.
FileAbility::Move Move a file or folder.
FileAbility::Preview Open the file preview.
FileAbility::Replace Replace the underlying file binary.

Authorization is evaluated by one or more callbacks registered on the plugin via ->authorizeUsing(). Each callback receives the ability, the authenticated user, the subject (a FileData, a Collection of FileData, a FileType, or null for context-free checks) and an optional context FileData. A callback returns true/null to allow, or false to deny. The first callback that returns false stops evaluation and denies the request; if all callbacks return null, the operation is allowed.

To authorize file and folder operations, call ->authorizeUsing() on the plugin in your panel provider and pass a closure. The closure receives four arguments:

Argument Description
FileAbility $ability The operation being attempted.
?Authenticatable $user The authenticated user, or null for guests.
FileType|FileData|Collection|null $subject The target of the operation.
?FileData $context Additional context (for example, the destination folder when creating).

Return false to deny the operation, or null (or nothing) to pass through to the next callback.

app/Providers/Filament/AdminPanelProvider.php
use RalphJSmit\Filament\MediaLibrary\FilamentMediaLibrary;
use RalphJSmit\Filament\Explore\Authorization\FileAbility;
use RalphJSmit\Filament\Explore\Data\FileData;
use Illuminate\Contracts\Auth\Authenticatable;

$panel->plugin(
    FilamentMediaLibrary::make()
        ->authorizeUsing(function (FileAbility $ability, ?Authenticatable $user, mixed $subject): ?bool {
            if ($ability === FileAbility::Delete && ! $user?->isAdmin()) {
                return false;
            }

            return null;
        }),
);

You can register multiple ->authorizeUsing() callbacks on the same plugin instance – they are evaluated in the order they were registered. The first callback to return false denies the operation immediately; all others are skipped.

app/Providers/Filament/AdminPanelProvider.php
FilamentMediaLibrary::make()
    ->authorizeUsing($this->authorizeViewsForGuests(...))
    ->authorizeUsing($this->authorizeDeletesForAdmins(...))

The $subject is typed as FileType|FileData|Collection|null. A Collection is passed for bulk operations. Check the type with instanceof before casting.

If you are upgrading from V3 and already have a MediaLibraryItemPolicy and/or MediaLibraryFolderPolicy registered in Laravel's Gate, you do not need to rewrite them. The Media Library automatically detects these policies on boot and bridges them to the V4 FileAbility model via the built-in LegacyPolicyAuthorization adapter.

How the bridge activates – during the plugin's boot() phase, it checks whether MediaLibraryItem or MediaLibraryFolder (or both) have a policy registered via Laravel's Gate. If at least one is found, a LegacyPolicyAuthorization callback is registered on the plugin via ->authorizeUsing(). If neither is registered, the bridge is skipped entirely. No configuration is required on your part – just keep your existing policies registered in your AuthServiceProvider.

Ability mapping – the bridge translates each FileAbility case to a policy method as follows.

For MediaLibraryItem (files):

FileAbility Policy method
View, Preview, Download view
Update, Rename update
Delete delete
Move move (falls back to update if absent)
Replace replace
Duplicate duplicate (falls back to create on the parent folder)
Create create with the parent MediaLibraryFolder (or null)

For MediaLibraryFolder (folders):

FileAbility Policy method
View view
Update, Rename update
Delete delete
Move move (falls back to update if absent)
Duplicate duplicatemoveupdate (first found)
Create create with the parent MediaLibraryFolder (or null)

Abilities with no mapping for a given model type return null (pass-through), so the operation is not blocked unless another callback denies it.

Bulk operations – the bridge checks each item individually. If any single item is denied, the entire bulk action is denied.

Partial policies – you don't need to register both policies. If you only have a MediaLibraryItemPolicy, folder operations are not evaluated by the bridge (and vice versa). Each policy is checked independently.

That's everything you need to control access to the Media Library. Use ->authorizeUsing() on the plugin for fresh V4 setups, or rely on the automatic legacy-policy bridge if you are upgrading from V3 with existing policies.

For the full upgrade checklist, see the upgrade guide.

© FilamentPlugins.com ✦ 2022 – 2026
PrivacyTerms & Conditions
All rights reserved.