Authorization is one of laravel security features, it provides a simple way to authorize user actions, in this tutorial we'll use this feature to implement roles and abilities logic.
Content:
-
Clone the repository
-
Install composer dependancies
composer install
-
Create .env file
cp .env.example .env
-
Generate application key
php artisan key:generate
-
Set database connection environment variable
-
Run migrations and seeds
php artisan migrate --seed
-
Following are super user default credentials
email:
[email protected]
, password:secret
-
Following are demo user defaul credentials
email:
[email protected]
, password:secret
Role
model will group the abilities that will be granted to related users.
<?php
namespace App;
use Illuminate\Database\Eloquent\Model;
class Role extends Model
{
/**
* The attributes that are mass assignable.
*
* @var array
*/
protected $fillable = [
'name',
];
/**
* The users that belong to the role.
*/
public function users()
{
return $this->belongsToMany('App\User');
}
/**
* The abilities that belong to the role.
*/
public function abilities()
{
return $this->belongsToMany('App\Ability');
}
}
Ability
model represent the actions that needs to be authorized.
<?php
namespace App;
use Illuminate\Database\Eloquent\Model;
class Ability extends Model
{
/**
* The attributes that are mass assignable.
*
* @var array
*/
protected $fillable = [
'name',
];
/**
* The roles that belong to the ability.
*/
public function roles()
{
return $this->belongsToMany('App\Role');
}
}
To authorize controller actions we use authorize helper method which accept the name of the ability needed to perform the action.
UserController
and RoleController
handles management of users and roles including relating users to roles and roles to abilities, the logic is simply made of crud actions and eloquent relationship manipulation.
To display only the portions of the page that users are authorized to utilize we'll use @can and @canany blade directives.
SyncAbilities
contain an indexed array of strings where each element is an ability, when exceuted it will sync the abilties in the database.
<?php
namespace App\Console\Commands;
use App\Ability;
use Illuminate\Console\Command;
use Illuminate\Support\Facades\DB;
class SyncAbilities extends Command
{
/**
* The name and signature of the console command.
*
* @var string
*/
protected $signature = 'abilities:sync';
/**
* The console command description.
*
* @var string
*/
protected $description = 'Sync abilities';
/**
* The abilities.
*
* @var string
*/
protected $abilities = [
'view-any-user', 'view-user', 'create-user', 'update-user', 'delete-user',
'view-any-role', 'view-role', 'create-role', 'update-role', 'delete-role',
];
/**
* Execute the console command.
*
* @return int
*/
public function handle()
{
$removedAbilities = Ability::whereNotIn('name', $this->abilities)->pluck('id');
DB::table('ability_role')->whereIn('ability_id', $removedAbilities)->delete();
Ability::whereIn('id', $removedAbilities)->delete();
$presentAbilities = Ability::whereIn('name', $this->abilities)->get();
$absentAbilities = $presentAbilities->isEmpty() ? $this->abilities : array_diff($this->abilities, $presentAbilities->pluck('name')->toArray());
if ($absentAbilities) {
$absentAbilities = array_map(function ($ability) {
return ['name' => $ability];
}, $absentAbilities);
Ability::insert($absentAbilities);
}
}
}
Whenever the abilities are modifed run the following command to sync the database.
php artisan abilities:sync
CreateSuperUser
will create a super
user using credentials provided in config/auth.php
which can be set using AUTH_SUPER_USER_EMAIL
and AUTH_SUPER_USER_EMAIL
environment variable, super
user surpass authorization logic hence he's granted all abilities.
<?php
namespace App\Console\Commands;
use App\User;
use Illuminate\Console\Command;
use Illuminate\Support\Facades\Hash;
class CreateSuperUser extends Command
{
/**
* The name and signature of the console command.
*
* @var string
*/
protected $signature = 'superuser:create';
/**
* The console command description.
*
* @var string
*/
protected $description = 'Create Super User';
/**
* Execute the console command.
*
* @return int
*/
public function handle()
{
User::where('super', true)->delete();
User::create([
'email' => config('auth.super_user.email'),
'name' => 'super',
'super' => true,
'password' => Hash::make(config('auth.super_user.password')),
]);
}
}
Whenever the super user need to be changed, update the correspoding environment variable and run the following command which will delete the current super user and create a new one.
php artisan superuser:create
The authorization take place in AuthServiceProvider
, where we use Gate::before method to intercept gate checks then we verify if the user is super or is granted the ability through any of his roles.
use Illuminate\Support\Facades\Gate;
use Illuminate\Database\Eloquent\Builder;
/**
* Register any authentication / authorization services.
*
* @return void
*/
public function boot()
{
$this->registerPolicies();
//
Gate::before(function ($user, $ability) {
if ($user->super) {
return true;
} else {
return $user
->roles()
->whereHas('abilities', function (Builder $query) use ($ability) {
$query->where('name', $ability);
})
->exists();
}
});
}
Laravel has a lot to offer, having a general idea about what's provided help in finding the best solution, in this tutorial we've used Authorization
and Seeders
as the base of the roles and abilities system.