Policies vs Spatie (Roles and Permissions) in Laravel When to use? ChatGTP Answers...

I'll tell you when you should use policies and when you should use systems like roles and permissions.

Hello, I wanted to make a quick clarification, I hope it's quick, about when to use Spatie and when to use policies in Laravel. Obviously, with this I'm assuming that I understand what I'm talking about, but I'll tell you quickly anyway.

Role and Permission Systems - Spatie

Spatie is basically a normal system that we have in any other type of application, frameworks, etc. that allows us to manage, on the one hand, what are the permissions and roles, that is, we have a user and we can assign roles and permissions to them, so whether I understand or not, I'm going to explain right now, you can look up a lot of information about that on the Internet, that is, on the Internet there is a lot of information about that in case you don't master it, but it is basically that, while the policies are a slightly more homemade system in which we could also simulate it, obviously here you can see that I asked ChatGTP when to use one or when to use another, which is what he recommends and here we are going to analyze the answer a little and there we take advantage and also explain the policy a little bit, which I have not done and we see there when to use one or the other, starting with spatie, which I believe is the one who says that it can be understood more easily, spatie is basically a system of roles and permissions as I was telling you before, therefore what the hell is this?

Example of Roles and Permissions system

For example, suppose we have a blog type application, that is, with its editor with the basic CRUD listed, the editing, creation and deletion part, we have administrator users, editors and so on, all that you can configure to your liking depending on the logic of your application, the business logic, but to keep it simple you are going to have some users that can only edit, therefore based on that you are going to have permissions to be able to create, edit, delete and of course see the listing or the detail for an editor user you can assign the editing permissions since you only want them to edit, assuming that you do not want them to create, but if you want them to create, you assign it to them perfectly and the listing permissions because obviously they have to see the details and basically it would be that and the administrator or super administrator user, everything depends on how you manage it, they will see everything that is the rest of the CRUD that I mentioned, permissions to edit, create, delete and the listing and from there you can create it and mix it as you want but it is basically that.

It is a way in which you can indicate which users can perform an operation and which users cannot perform an operation.

How does all this translate into practice? Basically, they are conditional functions, but in the end they are conditional. There are some functions that, as they say, are the intermediary of one of a conditional, but all of these are conditionals:

$user->assignRole('admin');
$user->givePermissionTo('edit articles');

if ($user->can('edit articles')) {
    // Acceso permitido
}

So here we have as I was telling you a very easy reuse of the permissions since you have the permission and you can assign it to the users and basically that's how spatie works and in Django for example we also have a similar system only that this one comes from the base what they comment here easy integration with anything in this case the policies and here you have an example of this we have an authenticated user whatever you want you assign a role and to the role you can give some permissions of course behind this is a quite flexible subject behind it you can automatically assign some permissions to that role so you don't have to do it manually or also independently and this is already in spatie you can assign the permissions as you are seeing on the screen and from here conditionals there are like 1000 ways to do this but this is being the simplest in which it asks if this user has the permission mentioned here as you can see this:

can('edit articles')

And you just ask and little else, then what the hell is the policy if we already have that up there, quite excellent here as the policy indicates. It is something similar to that but a little more generic, that is already a bit of my term since we usually use policies when we do not need a complex system as indicated here of roles and permissions, that is to say, we have it, it is something simple and right now I am going to give you a good example of this.

Use of Policies

You don't really want to manage a system for editor posts and such or is Spatie simply too big for you because as you can see with roles and permissions you have a ton of options. So not all applications need it and that's why policies emerge as a solution as who would say prior although they can also be used together. And that can be a bit confusing in all this but even so I'm going to give you, I'm going to try to give you a clear one. Well when you can use one when you can use another in a few moments then the logic of the application depends on the model. This is something very important since this is a bit more generic it is simply what I was telling you the user can create posts and based on some permission not but this is already a little more business logic. An example of this I can give you here in my desarrollolibre application. net

Where you can find the best courses and books at the best price, all my courses and books can always be found here at the best price. When you buy one, it basically generates a coupon that expires in 30 days so that you can get a discount for the next course. So I've already become the sponsor.

I want to show you a little bit of an implementation that I have here:

$filePayment = FilePayment::where('user_id', $user->id)->where('file_paymentable_id', $bookSection->book->id)->where('file_paymentable_type', Book::class)->first();
if ($filePayment == null)
    return [202, "No has comprado el libro"];

Look at this, this is not a policy but it is a good candidate for me to translate it, a policy in which he will only get the sections of a book, that is to say, here we come to books and that is why I showed you the page, not simply to give me publicity, you come here, for example, I bought this, I come here to the viewer, here I have the web viewer and here I can see the books, so obviously to avoid someone from sneaking in simply by the URL, I have to ask if the user has certain permissions, in that case, to have the permission to be able to see the content that you just saw on the screen, he has to have bought it, which is basically this model that we have here and that is why what I was telling you. This is a good candidate to define it in a policy, which in the end is this and it is precisely to avoid placing this, which I have here defined as two or three times, that is a small application and that is why I have not done it so much. Well, notice that I have it more times than I thought, it is a small application and that is why I have not done that work, but well, as it says, everything can be improved. and surely at some point I will do it but that is basically you here would define a policy that does exactly this it asks if the authenticated user that I am getting here has access to the book that he wants to consume in detail therefore if a non-authenticated user tries to enter or well that did not buy this resource tries to enter this resource Simply will not be able to do so because of the rule that we have here that this again you can see it as a kind of policy that is to say suppose you are a policeman a politician well politician no politicians are corrupt that simply comes here and says look you can't because you have not bought it then it is a little more linked to what is the business logic the models and everything else that the business logic basically the strongest layer is that of the models that is why you can see here the following translation And notice that in my very particular case it would not be very useful to use spati of course I could create a permission that says I do not know has access to the books see the books or whatever perfectly I could do it but I already think that you at this point understand since in this case this has the policy a greater integration with what is the business logic While the spatio, the roles and permissions scheme, is a slightly more generic scheme and therefore being a little more generic you can use it for larger applications, for example, here in my application I do not need to use spati for what was commented before, so basically here you have a good example of this, of course, you can also use what is spatie in the policies, that is, the same conditionals that you do in spatti, you can place them in the policies, but usually it is not necessary because it would already be a bit big or well, in case the logic is still a bit more complex, that is, suppose that on the one hand you have and need some permissions, but on the other hand you also need to do what is some verification at the model level, that is, a little bit of espa and a little bit of the policies, so if in that case you could create a policy that encompasses all those operations since in the end the policy has to comply not only with one, it does not necessarily have to be one but it can be several steps and this depends a bit on the logic of your application so that a certain requirement is met, that is, that it can access to certain resources, so in summary it is basically that the policies are more closely linked to your application, to the business logic of your application, while spati can be seen as a little more generic in a system of roles and permissions that you can adapt to your needs based on a resource that you want to manage.

- Andrés Cruz

En español

Andrés Cruz

Develop with Laravel, Django, Flask, CodeIgniter, HTML5, CSS3, MySQL, JavaScript, Vue, Android, iOS, Flutter

Andrés Cruz In Udemy

I agree to receive announcements of interest about this Blog.

!Courses from!

10$

On Udemy

There are 0d 13:04!

Udemy

!Courses from!

4$

In Academy

View courses

!Books from!

1$

View books
¡Become an affiliate on Gumroad!
© 2025 Copyright | Contact | About | PC Version