Restrict User Actions with Time-Based Sanctions Using Laravel Prohibitions

Laravel's Gates and Policies are essential for authorizing user actions. But what if you need to temporarily restrict a specific user—say, blocking someone from sending messages for a week after exceeding spam thresholds? Laravel Prohibitions, created by Kyrch, stores time-limited restrictions in the database, letting you apply and lift them dynamically without code changes.

The package fits scenarios like content moderation, rate limiting enforcement, account suspensions, and temporary feature lockouts during investigations. It distinguishes between individual prohibitions (single action restrictions) and sanctions (groups of prohibitions that can be applied together).

#Installation

Install the package via Composer:

composer require kyrch/laravel-prohibitions

Publish and run the migrations:

php artisan vendor:publish --tag="laravel-prohibitions-migrations"
php artisan migrate

Optionally publish the configuration file:

php artisan vendor:publish --tag="laravel-prohibitions-config"

#Setting Up Your Models

Add the HasSanctions trait to any model that can be prohibited from actions:

use Kyrch\Prohibition\Traits\HasSanctions;
 
class User extends Authenticatable
{
    use HasSanctions;
}

#Creating Prohibitions and Sanctions

Prohibitions represent individual actions that can be restricted. Sanctions group multiple prohibitions together for easier management:

use Kyrch\Prohibition\Models\Prohibition;
use Kyrch\Prohibition\Models\Sanction;
 
// Create individual prohibitions
$sendMessage = Prohibition::query()->create(['name' => 'send message']);
$createComment = Prohibition::query()->create(['name' => 'create comment']);
$joinGroup = Prohibition::query()->create(['name' => 'join group']);
 
// Group prohibitions into a sanction
$communitySanction = Sanction::query()->create(['name' => 'community restriction']);
$communitySanction->prohibitions()->attach([$sendMessage->id, $createComment->id, $joinGroup->id]);

#Applying Restrictions

Apply a single prohibition with an expiration date:

// Prohibit a user from sending messages for one week
$user->prohibit('send message', now()->addWeek());

Apply a sanction to restrict multiple actions at once:

// Apply the grouped community sanction for two weeks
$user->applySanction('community restriction', now()->addWeeks(2));

#Checking Prohibition Status

Before allowing an action, check if the user is prohibited:

if ($user->isProhibitedFrom('send message')) {
    return response()->json(['error' => 'You are currently restricted from sending messages.'], 403);
}

#Integration with Laravel Authorization

For consistent enforcement across your application, integrate prohibition checks into your authorization layer. Add a check in your Gate::before() callback:

use App\Models\User;
use Illuminate\Support\Facades\Gate;
 
Gate::before(function (User $user, string $ability) {
    if ($user->isProhibitedFrom($ability)) {
        return false;
    }
});

Or add checks to individual policy methods:

namespace App\Policies;
 
use App\Models\Conversation;
use App\Models\User;
 
class MessagePolicy
{
    public function before(User $user, string $ability): ?bool
    {
        if ($user->isProhibitedFrom($ability)) {
            return false;
        }
 
        return null;
    }
 
    public function send(User $user, Conversation $conversation): bool
    {
        return $conversation->participants->contains($user);
    }
}

#Event Handling

The package fires events when prohibitions and sanctions are triggered, allowing you to log moderation actions or notify users:

• ModelProhibitionTriggered — fired when a prohibition is applied
• ModelSanctionTriggered — fired when a sanction is applied

Events can be disabled in the configuration file if your application doesn't need them.

To learn more about Laravel Prohibitions and view the source code, visit the GitHub repository.