Overriding the can*() authorization methods on a Resource, RelationManager or ManageRelatedRecords class

Although these methods, such as canCreate(), canViewAny() and canDelete()weren’t documented, if you’re overriding those to provide custom authorization logic in v3, you should be aware that they aren’t always called in v4. The authorization logic has been improved to properly support policy response objects, and these methods were too simple as they are just able to return booleans.

If you can make the authorization customization inside the policy of the model instead, you should do that. If you need to customize the authorization logic in the resource or relation manager class, you should override the get*AuthorizationResponse() methods instead, such as getCreateAuthorizationResponse(), getViewAnyAuthorizationResponse() and getDeleteAuthorizationResponse(). These methods are called when the authorization logic is executed, and they return a policy response object. If you remove the override for the can*() methods, the get*AuthorizationResponse() methods will be used to determine the authorization response boolean, so you don't have to maintain the logic twice.

Source