Code Weaver

Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.

Laratrust Laravel Package

santigarcor/laratrust

Laratrust adds role and permission management to Laravel with support for multiple user models, teams, guards, caching, events, middleware, gates/policies, and an optional admin panel for managing roles and permissions.

View on GitHub

Deep Wiki

Context7

sidebarDepth: 2

Objects Ownership

If you need to check if the user owns an object you can use the user function owns:

public function update (Post $post) {
    if ($user->owns($post)) { //This will check the 'user_id' inside the $post
        abort(403);
    }

    ...
}

If you want to change the foreign key name to check for, you can pass a second attribute to the method:

public function update (Post $post) {
    if ($user->owns($post, 'idUser')) { //This will check for 'idUser' inside the $post
        abort(403);
    }

    ...
}

Permissions, Roles & Ownership Checks

If you want to check if a user can do something or has a role, and also is the owner of an object you can use the isAbleToAndOwns and hasRoleAndOwns methods:

Both methods accept three parameters:

permission or role are the permission or role to check (This can be an array of roles or permissions).
thing is the object used to check the ownership.
options is a set of options to change the method behavior (optional).

The third parameter is an options array:

$options = [
    'requireAll' => true, //Default: false,
    'foreignKeyName'  => 'canBeAnyString' //Default: null
];

Here's an example of the usage of both methods:

$post = Post::find(1);
$user->isAbleToAndOwns('edit-post', $post);
$user->isAbleToAndOwns(['edit-post', 'delete-post'], $post);
$user->isAbleToAndOwns(['edit-post', 'delete-post'], $post, ['requireAll' => false, 'foreignKeyName' => 'writer_id']);

$user->hasRoleAndOwns('admin', $post);
$user->hasRoleAndOwns(['admin', 'writer'], $post);
$user->hasRoleAndOwns(['admin', 'writer'], $post, ['requireAll' => false, 'foreignKeyName' => 'writer_id']);

The Laratrust class has a shortcut to owns(), isAbleToAndOwns and hasRoleAndOwns methods for the currently logged in user:

Laratrust::owns($post);
Laratrust::owns($post, 'idUser');

Laratrust::isAbleToAndOwns('edit-post', $post);
Laratrust::isAbleToAndOwns(['edit-post', 'delete-post'], $post, ['requireAll' => false, 'foreignKeyName' => 'writer_id']);

Laratrust::hasRoleAndOwns('admin', $post);
Laratrust::hasRoleAndOwns(['admin', 'writer'], $post, ['requireAll' => false, 'foreignKeyName' => 'writer_id']);

Ownable Interface

If the object ownership is resolved through a more complex logic you can implement the Ownable interface so you can use the owns, isAbleToAndOwns and hasRoleAndOwns methods in those cases:

class SomeOwnedObject implements \Laratrust\Contracts\Ownable
{
    ...

    public function ownerKey($owner)
    {
        return $this->someRelationship->user->id;
    }

    ...
}

::: tip IMPORTANT

The ownerKey method must return the object's owner id value.
The ownerKey method receives as a parameter the object that called the owns method. :::

After implementing it, you simply do:

$user = User::find(1);
$theObject = new SomeOwnedObject;
$user->owns($theObject);            // This will return true or false depending on what the ownerKey method returns

Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.

Add packages to context

No packages found.

davejamesmiller/laravel-breadcrumbs

artisanry/parsedown

christhompsontldr/phpsdk

enqueue/dsn

bunny/bunny

enqueue/test

enqueue/null

enqueue/amqp-tools

milesj/emojibase

bower-asset/punycode

bower-asset/inputmask

bower-asset/jquery

bower-asset/yii2-pjax

laravel/nova

spatie/laravel-mailcoach

spatie/laravel-superseeder

laravel/liferaft

nst/json-test-suite

danielmiessler/sec-lists

jackalope/jackalope-transport