Package Pages
Need a package that creates a system for roles and permissions? Look no further than these 3 packages. We look at the most used package, rolling your own authorization and different ways to think about handeling authorization.
-
0. Spatie laravel-permission
https://github.com/spatie/laravel-permissionSpatie's package is the gold standard for this use case. With over 27 Million downloads it is by far the most used package on this list!
Spatie's package offers both permissions and roles. Roles can include multiple permissions and are a great way to organise all the permissions.
Spatie makes roles and permissions as simple as:
use Spatie\Permission\Models\Role; use Spatie\Permission\Models\Permission; $role = Role::create(['name' => 'writer']); $permission = Permission::create(['name' => 'edit articles']);We recommend setting up your permissions and roles using Enums instead of loose strings. That way you can make sure you dont have any typos. Especially with authorization those can be costly!
Best practices
Spatie recommends using only permissions to check authorization and not roles. As permissions are more specific. This also allows you to use the default @can blade directives.
UI
While this package does not come with any UI written for managing the roles and permissions, there are a lot of packages written by the awesome laravel community. You can find them here:
https://spatie.be/docs/laravel-permission/v5/advanced-usage/ui-options -
1. DIY - Do It Yourself
https://laravel.com/docs/master/authorizationDoing authorization yourself can be the right choice depending on your needs. Lets say you are doing a small MVP project or you know that you wont need big permissions and roles.
Laravel gates
Gates are an easy way to get started with authorization in your app. Now usually they are defined in the AuthServiceProvider which you can find in your app/providers/ directory of your project. A basic gate looks like this:
Gate::define('is-admin', function (User $user) { return $user->email === '[email protected]'; });And is used like this:
Gate::allows('viewApprovals')more information can be found on the laravel documentation website here:
https://laravel.com/docs/master/authorization#gates.Laravel policies
Laravel policies are a lot like gates but for your Eloquent models. They are awesome for your domain models.
Example
Lets say you are building a blog, you would probably have an Post model and a Comment model. Each one should have their own policy.
Link to the documentation:
https://laravel.com/docs/master/authorization#writing-policies -
2. Laravel authz
https://github.com/php-casbin/laravel-authzLaravel authz is the new kid on the block and is definitly an interesting alternative to the spatie package. Laravel authz offers more features and is more complex. While laravel authz in itself is awesome, it is just a wrapper around Casbin. Definitly check it out if you are looking for support on access control models like ACL, RBAC, ABAC.
Conclussion
We recommend you go with what works for you! If your not sure of the size / longevity of a project then go with Spatie's packages. That way you are safe and you are future proof!
Good luck!