Laravel ‐ Chapter 17 - pierre-akhrass/Lavarel-Docs GitHub Wiki
Managing roles and permissions is a vital part of securing any Laravel application. The Spatie Laravel-Permission package makes this easy, scalable, and elegant.
Instead of manually using a role
column on the users
table, this package uses tables like roles
, permissions
, and pivot tables to associate permissions to roles and users.
We aim to:
- Create roles like Admin, Editor, Reader
- Assign permissions to roles
- Allow roles to perform CRUD operations based on permissions
- Provide backend interfaces to manage roles and permissions dynamically
composer require spatie/laravel-permission
php artisan vendor:publish --provider="Spatie\Permission\PermissionServiceProvider"
It copies (publishes) the configuration and migration files for the Spatie Laravel Permission package into your own Laravel project so you can:
- Edit the config file to customize how roles and permissions work.
- Run the database migration to create the required database tables.
php artisan migrate
This creates:
roles
permissions
model_has_roles
model_has_permissions
role_has_permissions
use Spatie\Permission\Traits\HasRoles;
class User extends Authenticatable
{
use HasRoles;
}
- A Role is a group of permissions.
- Examples:
Admin
,Editor
,Reader
.
- Define specific actions.
- Examples:
post.create
,post.edit
,category.delete
.
Role | Permissions (Posts) | Permissions (Categories) |
---|---|---|
Admin | Create, Update, Delete, List | Create, Update, Delete, List |
Editor | Create, Update/Delete (own only), List | Create, Update/Delete (own only), List |
Reader | View only | View only |
php artisan make:seeder RoleSeeder
$admin = Role::create(['name' => 'Admin']);
$editor = Role::create(['name' => 'Editor']);
Permission::create(['name' => 'editor.post.index']);
Permission::create(['name' => 'editor.post.create']);
Permission::create(['name' => 'editor.post.update']);
Permission::create(['name' => 'editor.post.destroy']);
Permission::create(['name' => 'editor.category.index']);
Permission::create(['name' => 'editor.category.create']);
Permission::create(['name' => 'editor.category.update']);
Permission::create(['name' => 'editor.category.destroy']);
php artisan db:seed --class=RoleSeeder
$user->assignRole('Editor');
$user->removeRole('Editor');
$user->syncRoles(['Admin', 'Editor']);
$role->givePermissionTo('editor.post.create');
$role->revokePermissionTo('editor.post.create');
$role->syncPermissions(['editor.post.create', 'editor.post.update']);
$permission->assignRole('Editor');
$permission->removeRole('Editor');
$permission->syncRoles(['Admin', 'Editor']);
$user->can('editor.post.update');
$user->hasRole('Editor');
$user->hasAnyRole(['Admin', 'Editor']);
$user->hasAllRoles(Role::all());
$user->hasExactRoles(['Admin', 'Editor']);
@can('editor.post.update')
<button>Edit</button>
@endcan
- Display current permissions for a role
- Assign new permission via dropdown
- Remove permission with a click
// Assign permission
$role->givePermissionTo($permission);
// Remove permission
$role->revokePermissionTo($permission);
Use Vue/Alpine.js or Laravel Blade + Axios for UI.
- Show current roles
- Allow adding/removing roles
- Update dynamically via JavaScript or form submission
Although not common (since roles usually encapsulate permissions), you can:
$user->givePermissionTo('editor.post.create');
$user->revokePermissionTo('editor.post.create');
- Spatie-Permission integrates perfectly with Laravel Gates and Policies.
- Use middleware to protect routes:
Route::middleware(['role:Admin'])->group(function () {
// admin-only routes
});