Laravel ‐ Chapter 17 - pierre-akhrass/Lavarel-Docs GitHub Wiki
Managing roles and permissions is a vital part of securing any Laravel application. The Spatie Laravel-Permission package makes this easy, scalable, and elegant.
Instead of manually using a role column on the users table, this package uses tables like roles, permissions, and pivot tables to associate permissions to roles and users.
We aim to:
- Create roles like Admin, Editor, Reader
- Assign permissions to roles
- Allow roles to perform CRUD operations based on permissions
- Provide backend interfaces to manage roles and permissions dynamically
composer require spatie/laravel-permissionphp artisan vendor:publish --provider="Spatie\Permission\PermissionServiceProvider"It copies (publishes) the configuration and migration files for the Spatie Laravel Permission package into your own Laravel project so you can:
- Edit the config file to customize how roles and permissions work.
- Run the database migration to create the required database tables.
php artisan migrateThis creates:
rolespermissionsmodel_has_rolesmodel_has_permissionsrole_has_permissions
use Spatie\Permission\Traits\HasRoles;
class User extends Authenticatable
{
use HasRoles;
}- A Role is a group of permissions.
- Examples:
Admin,Editor,Reader.
- Define specific actions.
- Examples:
post.create,post.edit,category.delete.
| Role | Permissions (Posts) | Permissions (Categories) |
|---|---|---|
| Admin | Create, Update, Delete, List | Create, Update, Delete, List |
| Editor | Create, Update/Delete (own only), List | Create, Update/Delete (own only), List |
| Reader | View only | View only |
php artisan make:seeder RoleSeeder$admin = Role::create(['name' => 'Admin']);
$editor = Role::create(['name' => 'Editor']);
Permission::create(['name' => 'editor.post.index']);
Permission::create(['name' => 'editor.post.create']);
Permission::create(['name' => 'editor.post.update']);
Permission::create(['name' => 'editor.post.destroy']);
Permission::create(['name' => 'editor.category.index']);
Permission::create(['name' => 'editor.category.create']);
Permission::create(['name' => 'editor.category.update']);
Permission::create(['name' => 'editor.category.destroy']);php artisan db:seed --class=RoleSeeder$user->assignRole('Editor');
$user->removeRole('Editor');
$user->syncRoles(['Admin', 'Editor']);$role->givePermissionTo('editor.post.create');
$role->revokePermissionTo('editor.post.create');
$role->syncPermissions(['editor.post.create', 'editor.post.update']);$permission->assignRole('Editor');
$permission->removeRole('Editor');
$permission->syncRoles(['Admin', 'Editor']);$user->can('editor.post.update');
$user->hasRole('Editor');
$user->hasAnyRole(['Admin', 'Editor']);
$user->hasAllRoles(Role::all());
$user->hasExactRoles(['Admin', 'Editor']);@can('editor.post.update')
<button>Edit</button>
@endcan- Display current permissions for a role
- Assign new permission via dropdown
- Remove permission with a click
// Assign permission
$role->givePermissionTo($permission);
// Remove permission
$role->revokePermissionTo($permission);Use Vue/Alpine.js or Laravel Blade + Axios for UI.
- Show current roles
- Allow adding/removing roles
- Update dynamically via JavaScript or form submission
Although not common (since roles usually encapsulate permissions), you can:
$user->givePermissionTo('editor.post.create');
$user->revokePermissionTo('editor.post.create');- Spatie-Permission integrates perfectly with Laravel Gates and Policies.
- Use middleware to protect routes:
Route::middleware(['role:Admin'])->group(function () {
// admin-only routes
});