relaticle-comments/docs/content/2.essentials/2.authorization.md

---
title: Authorization
description: Control who can create, edit, delete, and reply to comments.
navigation:
  icon: i-lucide-shield
seo:
  description: Configure comment authorization policies.
---

## Default Policy

The built-in `CommentPolicy` provides sensible defaults:

| Method | Default | Description |
|--------|---------|-------------|
| `viewAny()` | `true` | Everyone can view comments |
| `create()` | `true` | Everyone can create comments |
| `update()` | Owner only | Only the comment author can edit |
| `delete()` | Owner only | Only the comment author can delete |
| `reply()` | Depth check | Can reply if `max_depth` not exceeded |

## Custom Policy

Create your own policy to customize authorization:

```php
namespace App\Policies;

use Relaticle\Comments\Comment;
use Relaticle\Comments\Contracts\Commenter;

class CustomCommentPolicy
{
    public function viewAny(Commenter $user): bool
    {
        return true;
    }

    public function create(Commenter $user): bool
    {
        return true;
    }

    public function update(Commenter $user, Comment $comment): bool
    {
        return $comment->user_id === $user->getKey()
            && $comment->user_type === $user->getMorphClass();
    }

    public function delete(Commenter $user, Comment $comment): bool
    {
        return $comment->user_id === $user->getKey()
            || $user->hasRole('admin');
    }

    public function reply(Commenter $user, Comment $comment): bool
    {
        return $comment->canReply();
    }
}
```

Register it in your config:

```php
// config/comments.php
'policy' => App\Policies\CustomCommentPolicy::class,
```

## How Authorization Works

The Livewire components check the policy before rendering action buttons. Edit and delete buttons only appear for authorized users. Reply buttons are hidden when the thread has reached the configured `max_depth`.

The policy is registered automatically by the service provider using Laravel's Gate system.