Roles and Permissions System for Website
RBAC (Role-Based Access Control) — access control via roles. User is assigned a role (admin, editor, viewer), role has a set of permissions (create:articles, delete:comments). By changing role — you change the entire set of rights without editing each user.
Rights Structure
User ─── Role ─── Permission
admin articles:create
articles:edit
articles:delete
users:manage
editor articles:create
articles:edit
viewer articles:read
Or ABAC (Attribute-Based): rights depend on resource attributes (article.author_id === user.id).
Laravel — Spatie Permission
composer require spatie/laravel-permission
php artisan vendor:publish --provider="Spatie\Permission\PermissionServiceProvider"
php artisan migrate
// User model
use HasRoles;
// Create roles and permissions
Permission::create(['name' => 'articles.create']);
Permission::create(['name' => 'articles.edit']);
Permission::create(['name' => 'articles.delete']);
Permission::create(['name' => 'users.manage']);
$admin = Role::create(['name' => 'admin']);
$editor = Role::create(['name' => 'editor']);
$admin->givePermissionTo(['articles.create', 'articles.edit', 'articles.delete', 'users.manage']);
$editor->givePermissionTo(['articles.create', 'articles.edit']);
// Assign roles
$user->assignRole('editor');
$user->removeRole('editor');
// Check
$user->hasRole('admin');
$user->can('articles.delete');
$user->hasAnyRole(['admin', 'moderator']);
Gate and Policy
// Gates — simple checks
Gate::define('delete-article', function (User $user, Article $article) {
return $user->hasRole('admin') || $article->author_id === $user->id;
});
// Policy — for specific model
php artisan make:policy ArticlePolicy --model=Article
class ArticlePolicy
{
public function update(User $user, Article $article): bool
{
return $user->can('articles.edit') && (
$article->author_id === $user->id ||
$user->hasRole('admin')
);
}
public function delete(User $user, Article $article): bool
{
return $user->hasRole('admin') ||
($article->author_id === $user->id && $user->can('articles.delete'));
}
}
// Usage in Controller
public function update(Request $request, Article $article)
{
$this->authorize('update', $article);
// ...
}
// In Blade
@can('articles.create')
<a href="/articles/create">Write Article</a>
@endcan
Route Protection Middleware
Route::middleware(['role:admin'])->prefix('admin')->group(function () {
Route::resource('users', UserController::class);
});
Route::middleware(['permission:articles.create'])->group(function () {
Route::post('/articles', [ArticleController::class, 'store']);
});
Route::middleware(['role:admin|editor'])->group(function () {
Route::get('/articles/moderation', [ModerationController::class, 'index']);
});
Permissions Caching
Spatie caches permissions in memory. On mass changes — clear:
app()[\Spatie\Permission\PermissionRegistrar::class]->forgetCachedPermissions();
// or via command
php artisan permission:cache-reset
Role Management UI
// Form for assigning role to user
function UserRoleEditor({ user, roles }: { user: User; roles: Role[] }) {
const [selectedRoles, setSelectedRoles] = useState<string[]>(user.roles.map(r => r.name));
return (
<div>
{roles.map(role => (
<label key={role.id} className="flex items-center gap-2">
<input
type="checkbox"
checked={selectedRoles.includes(role.name)}
onChange={e => {
setSelectedRoles(prev =>
e.target.checked ? [...prev, role.name] : prev.filter(r => r !== role.name)
);
}}
/>
<span>{role.name}</span>
<span className="text-sm text-gray-500">
({role.permissions.length} permissions)
</span>
</label>
))}
</div>
);
}
Timeline
Spatie Permission, roles/permissions, Policies for models, middleware, role management UI: 2–3 days.