This package allows you to manage user permissions in a database using role and direct user based permission with Account (Organization) level and owner level permission check. It handle 2 types of abilities (route ability and field ability).
-
Require it with Composer
composer require riteshjha/laravel-permission
-
You can publish the migrations, views, assets and the config file with:
php artisan vendor:publish --provider="Rkj\Permission\PermissionServiceProvider"
-
Add the service provider in your config/app.php file:
'providers' => [ // ... Rkj\Permission\PermissionServiceProvider::class, ]; 'aliases' => [ //... 'Permission' => Rkj\Permission\Facades\Permission::class ];
-
This package publishes a
config/permission.php
file. Check this file and change accourding to your needs for different (Ability, Role and User) model name and other config options. -
Run migrations:
php artisan migrate
-
First configure models namesapce in
config/permission.php
-
Add
UserHasRole
trait to your User model andRoleHasAbility
to Role model. -
All model that you want to include in permission should implements
Permissionable
interface and addHasPermission
trait.
Package handle 2 types of ability (route ability and field ability). Package parse Auth route (route which has auth middleware) and store route name as a Route Ability. For field ability, you have to define it in your model like this:
class Project extends Model
{
protected $fieldAbilities = ['cost', 'estimated_cost'] ; //list projects table fields on which you want to apply permission
}
You can use Project::allowFieldAbilities(['cost'])
in your seeder to alow default field ability. For details check PermissionSeeder
in tests.
Role and Ability is divided in 2 groups (SYSTEM and ACCOUNT). All admin users that mange admin tasks will under SYSTEM group role.
All users that signup or login as front end user will under ACCOUNT group. Similarly All ability (route name) which is used for admin
interface will be under SYSTEM group and all ability which is used for front-end will be under ACCOUNT group. To disable it change disableAbilityGroup
to true in config.
php artisan ability:record // if need fresh then add --fresh
There is an admin interface with routes and views for handling ability and permissions. You have to add package routes in your admin route group.
Route::group(['middleware' => ['auth'], 'prefix' => 'admin'], function () {
Permission::routes();
});
Now you can access permission interface via admin/permission/roles
routes
Note: If you use admin routes prefix other than 'admin' then change adminRoutePrefix
value in config/permission.php
Package use laravel gate, so you can use can('project.create')
in view and $this->authorize('project.create')
in controller for route ability. And can('projects::cost')
for field ability in view. Here projects is a table name.
For Details check Tests
When creating or updating record in model then filter data using filterFieldAccess
method like :
$data = Project::filterFieldAccess($data)