Laravel role and permission management

Laravel APIs typically use tokens to authenticate users and do not maintain session state between requests. Laravel makes API authentication a breeze using Laravel Passport, which provides a full OAuth2 server implementation.

We don’t want all authenticated users to be able to perform all tasks in the system. We want to limit them according to their access rights. We will be able to do that using roles and permissions.

So first of we have to understand what a role and permission is in Laravel Application.

Roles

A role represents a group of tasks that a user that is assigned the role is allowed to perform. For example, the system administrator can be regarded as the owner of the system and as such, is permitted to perform all the tasks in the system. He/she can create users, delete and edit products, etc.

Permissions

Permission grants authorization to a role to perform a specific task. For example, you can define permission called edit. Any role that is assigned the permission edit will be able to edit data in the system. You can also have permissions such as create and delete.

Laravel has its own core logic for managing permissions. It was introduced in version 5.1.11 and has remained almost unchanged since. But there is some package available to manage the permissions and roles, which is not easy in the core.

So, I will describe to you about Laravel-permission by Spatie.

For the purpose of this tutorial, I assume you have installed the Laravel application on the web server. My settings are

• Laravel 5.5
• PHP 7.1
• Mysql

You can install the package via composer:

composer require spatie/laravel-permission

The service provider will automatically get registered. Or you may manually add the service provider in your config/app.php file:

'providers' => [
    // ...
    Spatie\Permission\PermissionServiceProvider::class,
];

After the migration has been published you can create the role- and permission-tables by running the migrations:

php artisan migrate

You can publish the config file with:

php artisan vendor:publish --provider="Spatie\Permission\PermissionServiceProvider" --tag="config"

Database Structure of Spatie

Usage of Spatie:

First, add the Spatie\Permission\Traits\HasRoles trait to your User model(s):

use Illuminate\Foundation\Auth\User as Authenticatable;
use Spatie\Permission\Traits\HasRoles;

class User extends Authenticatable
{
    use HasRoles;

}

Assigning Roles to a User

A role can be assigned to any user:

$user->assignRole('writer');
$user->assignRole(['writer', 'admin']);

$user->removeRole('writer');

Assigning Permission to user

Permissions are inherited from roles automatically. Additionally, individual permissions can be assigned to the user too. For instance:

$user->givePermissionTo('edit articles');
$user->givePermissionTo('edit articles', 'delete articles');

$user->revokePermissionTo('edit articles');

Assigning Permissions to Role

A permission can be assigned to any role:

$role = Role::findByName('writer');
$role->givePermissionTo('edit articles');

You can determine if a user has a certain role

$user->hasRole('writer');

You can determine if a role has a certain permission

$role->hasPermissionTo('edit articles');

A role can be removed from a user

$user->removeRole('writer');

A permission can be revoked from a role

$role->revokePermissionTo('edit articles');

Role and permission data is automatically cached to speed up performance.

References:

https://github.com/spatie/laravel-permission/

Conclusion:

Spatie package makes the role and permission assignment easy tasks to do. So you can use this package to any Laravel application where you need authorization on the basis of role and permission.

Thanks