Download the PHP package faithfm/laravel-simple-permissions without Composer

laravel-simple-permissions

A simple way to define user permissions in your Laravel application:

• Authorization Gates are are automatically created for all 'defined_permissions' in config/auth.php:

• These can be tested via normal Laravel Authorization methods:

[!TIP]

Notice the special '|' character that can be used to test multiple (ORed) permissions in a single gate

• Permissions are assigned to each user via the user_permissions table:

• Additional Javascript library included - typically used to check additional restrictions in the front-end. (see below)

[!NOTE]

This package is the Authorization (AuthZ) component of our overall AuthN/AuthZ design pattern that we deploy for our apps. (Our Faith FM Laravel Auth0 Pattern package is more opinionated than this generic package, and includes a number of published template files that may be less helpful for a wider audience, but you're welcome to use them if they are helpful.)

Installation + Configuration:

• Add the permissions relationship to the Models\User.php model:

• Create a simple list of 'defined_permissions' for your app (as a new section in config/auth.php). (See example above)

• Assign these permissions to relevant users (by adding records in the user_permissions table). (See example above)

Usage:

You can now test user permissions using regular Laravel Authorization Gate checks! (See examples above)

Advanced Usage: Vue front-end

LaravelUserPermissions.js is a helper library that allows additional permission-checks to be performed in the front-end.

This helper assumes that user permissions are passed from back-end to front-end using a global javascript LaravelAppGlobals variable (which is usually passed by the Blade file). Specifically it is looking for the existence of the global LaravelAppGlobals.user.permissions property.

In the examples below we will primarily consider the fourth row of the sample user_permissions table above:

Simple permission checks use the laravelUserCan() function:

More complex restrictions checks/filtering test user capabilities against JSON settings stored in the restrictions field. In our example above, a call to the laravelUserRestrictions('use-app') function returns:

The status property is injected along with any JSON data in the restrictions field, and is set to one of the following values:

• NOT PERMITTED - if the requested permission (ie: "use-app") does not exist for the user.
• ALL PERMITTED - if the requested permission does exist... AND the 'restrictions' field is blank.
• SOME PERMITTED - if the requested permission does exist... AND the 'restrictions' field contains valid JSON data.

The example below tests these conditions, and also checks to see if an app variable "currentItem" starts with the value of the "filter" property.

[!IMPORTANT]

You should not rely solely on front-end code to enforce important security features. These should be performed in the back-end as well.

Sample code to pass permissions via LaravelAppGlobals to front-end:

The following sample code shows one way the 'user' object (including permissions) can be passed to your front-end Vue app via the LaravelAppGlobals front-end variable.

In your Route/Controller:

Blade file:

Extended Usage: Laravel back-end

An equivalent of the javascript laravelUserRestrictions() function has not yet been implemented in the back-end to perform more complex testing based on the restrictions field. In the mean-time you could probably use something like this: