Laravel Role Permission Laravel Package

Getting Started

Minimal Setup

1. Installation

   composer require abdul/laravel-role-permission
   

   Publish the config file:

   php artisan vendor:publish --provider="Abdul\RolePermission\RolePermissionServiceProvider"
   

2. Run Migrations

   php artisan migrate
   

   This creates roles, permissions, and role_permission tables.

3. Configure Middleware Add the middleware to routes requiring permission checks:

   Route::middleware(['role-permission'])->group(function () {
       // Protected routes
   });
   

4. First Use Case Assign a role to a user and define permissions:

   // Assign role to user
   $user->roles()->attach(1); // Role ID
   
   // Define permissions for a role
   $role = \App\Models\Role::find(1);
   $role->permissions()->attach([1, 2, 3]); // Permission IDs
   

Implementation Patterns

Role & Permission Management

• Dynamic Permission Assignment Use the RolePermission facade to check permissions:

  use Abdul\RolePermission\Facades\RolePermission;
  
  if (RolePermission::hasPermission('edit-post')) {
      // Allow action
  }
  

• Route-Level Permissions Define permissions in route middleware:

  Route::get('/admin/posts', function () {
      return view('posts.index');
  })->middleware(['role-permission:edit-post']);
  

• Policy Integration Extend Laravel’s built-in policies:

  class PostPolicy extends Policy {
      public function update(User $user, Post $post) {
          return RolePermission::hasPermission($user, 'edit-post');
      }
  }
  

Workflow Integration

1. Admin Panel

   • Use the package to restrict CRUD operations in admin panels (e.g., Nova, Filament).
   • Example: Only allow delete-post permission for the "Delete" button.

2. API Gatekeeper

   • Protect API endpoints:

     Route::delete('/posts/{id}', function (Post $post) {
         return $post->delete();
     })->middleware(['role-permission:delete-post']);
     

3. Seeding Permissions Seed initial roles/permissions in DatabaseSeeder:

   $adminRole = Role::create(['name' => 'admin']);
   $adminRole->permissions()->attach([
       Permission::where('name', 'edit-post')->first(),
       Permission::where('name', 'delete-post')->first(),
   ]);
   

Gotchas and Tips

Pitfalls

• Middleware Misconfiguration Ensure the role-permission middleware is registered in app/Http/Kernel.php:

  protected $routeMiddleware = [
      'role-permission' => \Abdul\RolePermission\Middleware\RolePermissionMiddleware::class,
  ];
  

• Permission Caching Clear cached permissions after role updates:

  php artisan config:clear
  php artisan cache:clear
  

• Case Sensitivity Permission names are case-sensitive. Use constants or enums for consistency:

  class Permissions {
      public const EDIT_POST = 'edit-post';
  }
  

Debugging

• Check User Roles Log user roles/permissions for debugging:

  dd(auth()->user()->roles()->with('permissions')->get());
  

• Permission Denied Errors If a user lacks permissions, the middleware throws a 403. Customize the response in app/Exceptions/Handler.php:

  public function render($request, Throwable $exception) {
      if ($exception instanceof \Abdul\RolePermission\Exceptions\PermissionDenied) {
          return response()->json(['error' => 'Unauthorized'], 403);
      }
      return parent::render($request, $exception);
  }
  

Extension Points

• Custom Permission Logic Override the hasPermission method in the facade:

  RolePermission::extend(function ($user, $permission) {
      // Custom logic (e.g., time-based permissions)
  });
  

• GUI for Role Management Integrate with admin panels (e.g., Nova toolkits) to manage roles/permissions via UI.

• Permission Groups Extend the Permission model to support groups (e.g., post_management group for edit-post, delete-post).