Super simple RBAC/ACL implementation for Laravel 5+.
Require this package with composer (Packagist) using the following command
composer require amonray/laravel-rbac
or modify your composer.json
"require": {
...
"amonray/laravel-rbac": "^0.3"
}
then run composer update
.
After installation register the ServiceProvider to the providers
array in config/app.php
PHPZen\LaravelRbac\RbacServiceProvider::class,
Publish migration files
$ php artisan vendor:publish --provider="PHPZen\LaravelRbac\RbacServiceProvider" --force
Run migrations
$ php artisan migrate
Add RBAC middleware to your app/Http/Kernel.php
protected $routeMiddleware = [
...
'rbac' => '\PHPZen\LaravelRbac\Middleware\Rbac::class'
];
Add Rbac trait to your User
model
use PHPZen\LaravelRbac\Traits\Rbac;
class User extends Authenticatable
{
use Rbac;
...
}
$adminRole = new Role;
$adminRole->name = 'Administrator';
$adminRole->slug = 'administrator';
$adminRole->description = 'System Administrator';
$adminRole->save();
$editorRole = new Role;
$editorRole->name = 'Editor';
$editorRole->slug = 'editor';
$editorRole->description = 'Editor';
$editorRole->save();
$user = User::find(1);
$user->roles()->attach($adminRole->id);
you can also assign multiple roles at once
$user->roles()->attach([$adminRole->id, $editorRole->id]);
$user->roles()->detach($adminRole->id);
you can also revoke multiple roles at once
$user->roles()->detach([$adminRole->id, $editorRole->id]);
$user->roles()->sync([$editorRole->id]);
Any role already assigned to user will be revoked if you don't pass its id to sync method.
$createUser = new Permission;
$createUser->name = 'Create user';
$createUser->slug = 'user.create';
$createUser->description = 'Permission to create user';
$createUser->save();
$updateUser = new Permission;
$updateUser->name = 'Update user';
$updateUser->slug = 'user.update';
$updateUser->description = 'Permission to update user';
$updateUser->save();
$adminRole = Role::find(1);
$adminRole->permissions()->attach($createUser->id);
you can also assign multiple permissions at once
$adminRole->permissions()->attach([$createUser->id, $updateUser->id]);
$adminRole->permissions()->detach($createUser->id);
you can also revoke multiple permissions at once
$adminRole->permissions()->detach([$createUser->id, $updateUser->id]);
$adminRole->permissions()->sync([$updateUser->id]);
Any permission already assigned to role will be revoked if you don't pass its id to sync method.
Roles and permissions can be checked on User
instance using hasRole
and canDo
methods.
$isAdmin = Auth::user()->hasRole('administrator'); // pass role slug as parameter
$isAdminOrEditor = Auth::user()->hasRole('administrator|editor'); // using OR operator
$canUpdateUser = Auth::user()->canDo('update.user'); // pass permission slug as parameter
$canUpdateOrCreateUser = Auth::user()->canDo('update.user|create.user'); // using OR operator
Laravel RBAC provides middleware to protect single route and route groups. Middleware expects 2 comma separated params:
- is or can as first param - what to check (role/permission)
- role/permission slug as second param
Route::get('/backend', [
'uses' => 'BackendController@index',
'middleware' => ['auth', 'rbac:is,administrator']
]);
Route::get('/backend', [
'uses' => 'BackendController@index',
'middleware' => ['auth', 'rbac:is,administrator|editor']
]);
Route::get('/dashboard', [
'uses' => 'DashboardController@index',
'middleware' => ['auth', 'rbac:can,view.dashboard']
]);
Route::get('/dashboard', [
'uses' => 'DashboardController@index',
'middleware' => ['auth', 'rbac:can,view.dashboard|view.statistics']
]);
Laravel RBAC provides two Blade directives to check if user has role/permission assigned.
Check for role
@ifUserIs('administrator')
// show admin content here
@else
// sorry
@endif
@ifUserIs('administrator|editor')
// show editor content here
@else
// sorry
@endif
Check for permission
@ifUserCan('delete.user')
// show delete button
@endif
@ifUserCan('delete.user|manage.user')
// show delete button
@endif
Laravel RBAC is open-sourced software licensed under the MIT license