Spatie Laravel-Permission is an open source role-based user permissions package for use with Laravel; It is a package that is easy to use when implementing a structure that is so managed in projects today, such as permissions and roles, which we will go into more detail in the next section.
In this section, we will know in detail how to use this package in a Laravel project and with this, be able to protect resources in a more scalable and modular way than simply indicating an enumerated column for the type and role.
Roles and permissions
In typical systems that are required to protect the resources of an application, roles and permissions are used by regulation to manage controlled access to each of the resources; roles and permissions are a mechanism to control access to different parts of a web application.
Permissions are specific actions that a user can perform in the app, for example "post a new article" or "delete a comment". With Spatie laravel-permission, you can associate roles and permissions with users and check if a user has access to a specific action in the app based on the app's roles and permissions.
Roles are a way of grouping permissions, for example, you could have an "administrator" role that has permissions to all actions in your app, while a "user" role would only have permissions for limited actions.
To understand what has been said through an example, in the context of a web application, the roles can be, for example, "administrator", "editor" and "reader". Each role has a different set of permissions that determines what actions it can perform.
For posts in an admin role:
- Create post.
- Update post.
- Delete post.
- Detail/list post.
For categories in an admin role:
- Create category.
- Update category.
- Delete category.
- Detail/list category.
For posts in an editor role:
- Create post.
- Update post (only yours).
- Delete post (only yours).
- Detail/list post.
For categories in an editor role:
- Create category.
- Update category (only yours).
- Delete category (only yours).
- Detail/list category.
For posts in a reader role:
- Detail/list post.
You can get more information at:
https://spatie.be/docs/laravel-permission/v5/introduction
Instalation
The installation of this package has been typical in which we execute a command by composer indicating the package we want to install:
$ composer require spatie/laravel-permissionThe provider is registered:
config/app.php
'providers' => [
***
Spatie\Permission\PermissionServiceProvider::class,
];The migration and the configuration file config/permission.php are published to be able to customize it:
$ php artisan vendor:publish --provider="Spatie\Permission\PermissionServiceProvider"The migration is executed:
$ php artisan migrateAnd we will have an output like the following:
2023_04_16_125650_create_permission_tables ................... 796ms DONEWith the previous command several tables are created, you can inspect the migration of the permissions (***_create_permission_tables) and you will see that it consists of several tables:
- roles
- permissions
- model_has_permissions
- model_has_roles
- role_has_permissions
In order to use the permissions from the users entity, we register the roles trait:
use Spatie\Permission\Traits\HasRoles;
class User extends Authenticatable
{
use *** HasRoles;
***
}
Develop with Laravel, Django, Flask, CodeIgniter, HTML5, CSS3, MySQL, JavaScript, Vue, Android, iOS, Flutter