Implementing advanced access control in Laravel allows you to manage user permissions and roles effectively. This can be done using Laravel’s built-in authorization features combined with packages like Laravel Permission by Spatie.
Step 1: Install Laravel
If you haven’t created a Laravel project yet, start by setting one up:
bash
1 2 |
composer create-project --prefer-dist laravel/laravel laravel-access-control cd laravel-access-control |
Step 2: Install Spatie Laravel Permission Package
Install the Spatie package for managing roles and permissions:
bash
1 |
composer require spatie/laravel-permission |
Step 3: Publish the Configuration
Publish the package’s configuration file and migration:
bash
1 |
php artisan vendor:publish --provider="Spatie\Permission\PermissionServiceProvider" |
Step 4: Run Migrations
Run the migrations to create the necessary tables:
bash
1 |
php artisan migrate |
Step 5: Set Up User Model
Add the HasRoles
trait to your User
model. This trait provides methods to assign roles and permissions to users.
php
1 2 3 4 5 6 7 8 9 10 11 |
namespace App\Models; use Illuminate\Foundation\Auth\User as Authenticatable; use Spatie\Permission\Traits\HasRoles; class User extends Authenticatable { use HasRoles; // Other model properties and methods... } |
Step 6: Create Roles and Permissions
You can create roles and permissions in your database. This can be done via a seeder or through the tinker console.
- Using Tinker:
bash
1 |
php artisan tinker |
Then run the following commands:
php
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
use Spatie\Permission\Models\Role; use Spatie\Permission\Models\Permission; // Create roles $adminRole = Role::create(['name' => 'admin']); $userRole = Role::create(['name' => 'user']); // Create permissions $editArticles = Permission::create(['name' => 'edit articles']); $deleteArticles = Permission::create(['name' => 'delete articles']); // Assign permissions to roles $adminRole->givePermissionTo($editArticles); $adminRole->givePermissionTo($deleteArticles); $userRole->givePermissionTo($editArticles); |
- Using a Seeder:
Create a seeder:
bash
1 |
php artisan make:seeder RolePermissionSeeder |
In RolePermissionSeeder.php
, add:
php
1 2 3 4 5 6 7 8 9 10 11 12 13 |
namespace Database\Seeders; use Illuminate\Database\Seeder; use Spatie\Permission\Models\Role; use Spatie\Permission\Models\Permission; class RolePermissionSeeder extends Seeder { public function run() { // Create roles and permissions as before } } |
Don’t forget to call this seeder in DatabaseSeeder.php
.
Step 7: Assign Roles to Users
You can assign roles to users like this:
php
1 2 |
$user = User::find(1); $user->assignRole('admin'); // Assign admin role |
Step 8: Check Permissions in Controllers
You can check user permissions in your controllers using middleware or directly in methods:
- Using Middleware:
First, register the middleware in app/Http/Kernel.php
:
php
1 2 3 4 |
protected $routeMiddleware = [ 'role' => \Spatie\Permission\Middlewares\Role::class, 'permission' => \Spatie\Permission\Middlewares\Permission::class, ]; |
Then, use it in your routes:
php
1 2 3 4 5 6 |
Route::group(['middleware' => ['role:admin']], function () { Route::get('/admin/dashboard', [AdminController::class, 'index']); }); Route::get('/articles/edit', [ArticleController::class, 'edit']) ->middleware('permission:edit articles'); |
- Directly in Methods:
You can also check permissions directly in controller methods:
php
1 2 3 4 5 6 7 8 |
public function edit($id) { if (!auth()->user()->can('edit articles')) { abort(403); } // Edit logic here... } |
Step 9: Using Gates and Policies
For more granular control, you can define gates and policies. Here’s how to define a gate:
- Define a Gate:
In App\Providers\AuthServiceProvider.php
:
php
1 2 3 4 5 6 7 8 9 10 |
use Illuminate\Support\Facades\Gate; public function boot() { $this->registerPolicies(); Gate::define('edit-article', function ($user, $article) { return $user->id === $article->user_id || $user->hasRole('admin'); }); } |
- Check the Gate:
In your controller:
php
1 2 3 4 5 6 7 |
public function edit(Article $article) { if (Gate::denies('edit-article', $article)) { abort(403); } // Edit logic here... |
Conclusion
With this setup, you have implemented an advanced access control system using roles and permissions in Laravel. By utilizing Spatie’s Laravel Permission package, you can efficiently manage user roles and permissions. This approach provides flexibility and scalability, allowing you to adapt as your application’s access control needs evolve.
- Laravel Breeze – Simple authentication starter kit
- Laravel Jetstream – Scaffolding for Laravel apps
- Laravel Passport – API authentication via OAuth2
- Laravel Sanctum – Simple API authentication
- Spatie Laravel Permission – Role and permission management
- Laravel Cashier – Subscription billing with Stripe
- Laravel Scout – Full-text search using Algolia
- Laravel Socialite – OAuth authentication (Google, Facebook, etc.)
- Laravel Excel – Excel import and export for Laravel
- Laravel Horizon – Redis queues monitoring
- Laravel Nova – Admin panel for Laravel
- Laravel Fortify – Backend authentication for Laravel
- Laravel Vapor – Serverless deployment on AWS
- Laravel Telescope – Debugging assistant for Laravel
- Laravel Dusk – Browser testing
- Laravel Mix – API for compiling assets
- Spatie Laravel Backup – Backup management
- Laravel Livewire – Building dynamic UIs
- Spatie Laravel Media Library – Manage media uploads
- Laravel Excel – Excel spreadsheet handling
- Laravel Debugbar – Debug tool for Laravel
- Laravel WebSockets – Real-time communication
- Spatie Laravel Sitemap – Generate sitemaps
- Laravel Spark – SaaS scaffolding
- Laravel Envoy – Task runner for deployment
- Spatie Laravel Translatable – Multilingual model support
- Laravel Backpack – Admin panel
- Laravel AdminLTE – Admin interface template
- Laravel Collective Forms & HTML – Simplified form and HTML generation
- Spatie Laravel Analytics – Google Analytics integration
- Laravel Eloquent Sluggable – Automatically create slugs
- Laravel Charts – Chart integration
- Laravel Auditing – Track changes in models
- Laravel JWT Auth – JSON Web Token authentication
- Laravel Queue Monitor – Monitor job queues
- Spatie Laravel Query Builder – Filter, sort, and include relationships in Eloquent queries
- Laravel Datatables – jQuery Datatables API
- Laravel Localization – Multilingual support for views and routes
- Laravel Acl Manager – Access control list manager
- Laravel Activity Log – Record activity in your app
- Laravel Roles – Role-based access control
- Spatie Laravel Tags – Tagging models
- Laravel Installer – CLI installer for Laravel
- Laravel Breadcrumbs – Generate breadcrumbs in Laravel
- Laravel Mailgun – Mailgun integration for Laravel
- Laravel Trustup Model History – Store model change history
- Laravel Deployer – Deployment automation tool
- Laravel Auth – Custom authentication guards
- Laravel CORS – Cross-Origin Resource Sharing (CORS) support
- Laravel Notifications – Send notifications through multiple channels
- Spatie Laravel Http Logger – Log HTTP requests
- Laravel Permission Manager – Manage permissions easily
- Laravel Stubs – Customize default stubs in Laravel
- Laravel Fast Excel – Speed up Excel exports
- Laravel Image – Image processing
- Spatie Laravel Backup Server – Centralize backups for Laravel apps
- Laravel Forge API – Manage servers through the Forge API
- Laravel Blade SVG – Use SVGs in Blade templates
- Laravel Ban – Ban/unban users from your application
- Laravel API Response – Standardize API responses
- Laravel SEO – Manage SEO meta tags
- Laravel Settings – Store and retrieve settings
- Laravel DOMPDF – Generate PDFs
- Laravel Turbo – Full-stack framework for building modern web apps
- Spatie Laravel Event Sourcing – Event sourcing implementation
- Laravel Jetstream Inertia – Jetstream’s Inertia.js integration
- Laravel Envoy Tasks – Task automation
- Laravel Likeable – Like/dislike functionality
- Laravel GeoIP – Determine visitor’s geographic location
- Laravel Country State City – Dropdowns for country, state, and city
- Laravel Hashids – Generate short unique hashes
- Laravel Repository – Repository pattern for Laravel
- Laravel UUID – UUID generation for models
- Spatie Laravel Medialibrary Pro – Enhanced media management
- Laravel Queue Monitor – Monitor Laravel job queues
- Laravel User Activity – Monitor user activity
- Laravel DB Snapshots – Create database snapshots
- Laravel Twilio – Twilio integration
- Laravel Roles – Role-based permission handling
- Laravel Translatable – Add translations to Eloquent models
- Laravel Teamwork – Manage teams in multi-tenant apps
- Laravel Full Text Search – Add full-text search to Laravel models
- Laravel File Manager – File and media management
- Laravel User Timezones – Automatically detect user time zones
- Laravel ChartsJS – Render charts with ChartsJS
- Laravel Stripe – Stripe API integration
- Laravel PDF Generator – PDF generation
- Laravel Elasticsearch – Elasticsearch integration
- Laravel Simple Qrcode – Generate QR codes
- Laravel Timezone – Manage timezones and conversions
- Laravel Collective API – API management for Laravel
- Laravel Rest API Boilerplate – REST API starter kit
- Laravel Multi Auth – Multi-authentication functionality
- Laravel Voyager – Admin panel for Laravel
- Laravel Voyager Database – Database manager for Voyager
- Laravel Categories – Handle categories for models
- Laravel Multitenancy – Multi-tenancy implementation
- Laravel Access Control – Advanced access control for users
- Laravel Menus – Menu management
- Laravel Translatable Routes – Multilingual route handling