Access Control Lists (ACL) are essential for managing permissions and roles within an application. Laravel provides an elegant way to handle authorization, and the Spatie Laravel Permissions package simplifies role-based access control (RBAC).
Why Use Spatie for ACL?
Spatie’s Laravel Permissions package offers a robust and flexible approach to handling roles and permissions. It allows assigning multiple roles to users, defining permissions, and controlling access with middleware or policy-based authorization.
Key Features
- Role and permission management through Eloquent models.
- Middleware for route protection.
- Artisan commands for permission management.
- Database-driven role and permission storage.
Installing Spatie Laravel Permissions
First, install the package using Composer:
composer require spatie/laravel-permission
Next, publish the configuration file and run the migrations:
php artisan vendor:publish --provider="Spatie\Permission\PermissionServiceProvider"
php artisan migrate
This will create the necessary tables (`roles`, `permissions`, and `model_has_roles`).
Setting Up Roles and Permissions
Add the `HasRoles` trait to the `User` model:
use Spatie\Permission\Traits\HasRoles;
class User extends Authenticatable
{
use HasRoles;
}
Now, define roles and permissions using Tinker or seeder files
use Spatie\Permission\Models\Role;
use Spatie\Permission\Models\Permission;
Role::create(['name' => 'admin']);
Role::create(['name' => 'editor']);
Role::create(['name' => 'user']);
Permission::create(['name' => 'edit articles']);
Permission::create(['name' => 'delete articles']);
Permission::create(['name' => 'publish articles']);Assign permissions to roles:
$admin = Role::findByName('admin');
$admin->givePermissionTo('edit articles', 'delete articles', 'publish articles');Assign roles to users:
$user = User::find(1);
$user->assignRole('admin');Protecting Routes and Views
You can restrict access using middleware:
Route::middleware(['role:admin'])->group(function () {
Route::get('/admin', function () {
return view('admin.dashboard');
});
});Or within Blade templates
@can('edit articles')
<a href="/articles/edit">Edit Article</a>
@endcan
If you are using a different guard then define the guard whenever using the middleware or any other functions related to spatie
Route::middleware(['role:admin', ‘guard:new_guard’])->group(function () {
Route::get('/admin', function () {
return view('admin.dashboard');
});Conclusion
Implementing ACL with Spatie in Laravel simplifies role-based authorization, making it easier to manage access control. By defining roles, assigning permissions, and using middleware, you can build a secure application with precise user access control.
Useful link : https://spatie.be/docs/laravel-permission/v6/introduction