Package Data | |
---|---|
Maintainer Username: | konekt |
Maintainer Contact: | freek@spatie.be (Freek Van der Herten) |
Package Create Date: | 2017-06-06 |
Package Last Update: | 2024-07-08 |
Language: | PHP |
License: | MIT |
Last Refreshed: | 2024-12-19 03:04:41 |
Package Statistics | |
---|---|
Total Downloads: | 62,208 |
Monthly Downloads: | 1,275 |
Daily Downloads: | 36 |
Total Stars: | 10 |
Total Watchers: | 4 |
Total Forks: | 2 |
Total Open Issues: | 0 |
This package is a fork of Spatie's Permission v2.1.5. Reason for fork was to convert the package into a Concord compliant module.
v1.0: Most of the changes have been ported from Spatie v2.9.0
This package allows you to manage user permissions and roles in a database.
Once installed you can do stuff like this:
// Adding permissions to a user
$user->givePermissionTo('edit articles');
// Adding permissions via a role
$user->assignRole('writer');
$role->givePermissionTo('edit articles');
If you're using multiple guards we've got you covered as well. Every guard will have its own set of permissions and roles that can be assigned to the guard's users. Read about it in the using multiple guards section of the readme.
Because all permissions will be registered on Laravel's gate, you can test if a user has a permission with Laravel's default can
function:
$user->can('edit articles');
The original author of this package is Spatie, a webdesign agency in Antwerp, Belgium. You'll find an overview of all their open source projects on their website.
This version of the package is intended ton be used as a Concord module in Laravel 5.4 or higher. If you don't use Concord take a look at the original Spatie package.
You can install the package via composer:
composer require konekt/acl
Now add the module in config/concord.php
file:
'modules' => [
// ...
Konekt\Acl\Providers\ModuleServiceProvider::class,
];
The package contains some migrations that you can run as usual by:
php artisan migrate
You can modify the configuration within app/concord.php
:
return [
'modules' => [
// ...
Konekt\Acl\Providers\ModuleServiceProvider::class => [
/*
* By default all permissions will be cached for 24 hours unless a permission or
* role is updated. Then the cache will be flushed immediately.
*/
'cache_expiration_time' => 60 * 24,
/*
* When set to true, the required permission/role names are added to the exception
* message. This could be considered an information leak in some contexts, so
* the default setting is false here for optimum safety.
*/
'display_permission_in_exception' => false
]
]
];
The main difference between this fork and the original Spatie version is that models are managed via Concord's model proxies feature.
Thus Model classes and table names have been removed from config and have been added as Concord models. Thus you can easily replace them in your using Concord's facilities:
namespace App\Providers;
use Illuminate\Support\ServiceProvider;
use Konekt\Acl\Contracts\Role as RoleContract;
use Konekt\Acl\Contracts\Permission as PermissionContract;
class AppServiceProvider extends ServiceProvider
{
public function register()
{
// To override the role model
$this->app->concord->registerModel(RoleContract::class, \App\Role::class);
// To override the Permission model
$this->app->concord->registerModel(PermissionContract::class, \App\Permission::class);
}
}
If you also want to change the names of the db tables, set the $table
property of the model:
namespace App;
use Konekt\Acl\Models\Role as BaseRole;
class Role extends BaseRole
{
protected $table = 'my_roles_table_name';
}
Important: Make sure any custom model class implements its appropriate interface (
Konekt\Acl\Contracts\Role
,Konekt\Acl\Contracts\Permission
)
First, add the Konekt\Acl\Traits\HasRoles
trait to your User model(s):
use Illuminate\Foundation\Auth\User as Authenticatable;
use Konekt\Acl\Traits\HasRoles;
class User extends Authenticatable
{
use HasRoles;
// ...
}
- note that if you need to use
HasRoles
trait with another model ex.Page
you will also need to addprotected $guard_name = 'web';
as well to that model or you would get an erroruse Illuminate\Database\Eloquent\Model; use Spatie\Permission\Traits\HasRoles; class Page extends Model { use HasRoles; protected $guard_name = 'web'; // or whatever guard you want to use // ... }
This package allows for users to be associated with permissions and roles. Every role is associated with multiple permissions.
A Role
and a Permission
are regular Eloquent models. They require a name
and can be created like this:
use Konekt\Acl\Models\Role;
use Konekt\Acl\Models\Permission;
$role = Role::create(['name' => 'writer']);
$permission = Permission::create(['name' => 'edit articles']);
If you want to use your own models instead of the built in ones, use their proxy counterparts instead:
use Konekt\Acl\Models\RoleProxy;
use Konekt\Acl\Models\PermissionProxy;
$role = RoleProxy::create(['name' => 'writer']);
$permission = PermissionProxy::create(['name' => 'edit articles']);
If you're using multiple guards the guard_name
attribute needs to be set as well. Read about it in the using multiple guards section of the readme.
The HasRoles
trait adds Eloquent relationships to your models, which can be accessed directly or used as a base query:
// get a list of all permissions directly assigned to the user
$permissions = $user->permissions;
// get all permissions inherited by the user via roles
$permissions = $user->getAllPermissions();
// get a collection of all defined roles
$roles = $user->getRoleNames(); // Returns a collection
The HasRoles
trait also adds a role
scope to your models to scope the query to certain roles or permissions:
$users = User::role('writer')->get(); // Returns only users with the role 'writer'
The role
scope can accept a string, a \Spatie\Permission\Models\Role
object or an \Illuminate\Support\Collection
object.
The same trait also adds a scope to only get users that have a certain permission.
$users = User::permission('edit articles')->get(); // Returns only users with the permission 'edit articles' (inherited or directly)
The scope can accept a string, a \Spatie\Permission\Models\Permission
object or an \Illuminate\Support\Collection
object.
A permission can be given to any user:
$user->givePermissionTo('edit articles');
// You can also give multiple permission at once
$user->givePermissionTo('edit articles', 'delete articles');
// You may also pass an array
$user->givePermissionTo(['edit articles', 'delete articles']);
A permission can be revoked from a user:
$user->revokePermissionTo('edit articles');
Or revoke & add new permissions in one go:
$user->syncPermissions(['edit articles', 'delete articles']);
You can test if a user has a permission:
$user->hasPermissionTo('edit articles');
...or if a user has multiple permissions:
$user->hasAnyPermission(['edit articles', 'publish articles', 'unpublish articles']);
Saved permissions will be registered with the Illuminate\Auth\Access\Gate
class for the default guard. So you can
test if a user has a permission with Laravel's default can
function:
$user->can('edit articles');
A role can be assigned to any user:
$user->assignRole('writer');
// You can also assign multiple roles at once
$user->assignRole('writer', 'admin');
// or as an array
$user->assignRole(['writer', 'admin']);
A role can be removed from a user:
$user->removeRole('writer');
Roles can also be synced:
// All current roles will be removed from the user and replaced by the array given
$user->syncRoles(['writer', 'admin']);
You can determine if a user has a certain role:
$user->hasRole('writer');
You can also determine if a user has any of a given list of roles:
$user->hasAnyRole(RoleProxy::all());
You can also determine if a user has all of a given list of roles:
$user->hasAllRoles(Role::all());
The assignRole
, hasRole
, hasAnyRole
, hasAllRoles
and removeRole
functions can accept a
string, a \Konekt\Acl\Models\Role
object or an \Illuminate\Support\Collection
object.
A permission can be given to a role:
$role->givePermissionTo('edit articles');
You can determine if a role has a certain permission:
$role->hasPermissionTo('edit articles');
A permission can be revoked from a role:
$role->revokePermissionTo('edit articles');
The givePermissionTo
and revokePermissionTo
functions can accept a
string or a Konekt\Acl\Models\Permission
object.
Permissions are inherited from roles automatically. Additionally, individual permissions can be assigned to the user too. For instance:
$role = Role::findByName('writer');
$role->givePermissionTo('edit articles');
$user->assignRole('writer');
$user->givePermissionTo('delete articles');
In the above example, a role is given permission to edit articles and this role is assigned to a user.
Now the user can edit articles and additionally delete articles. The permission of 'delete articles' is the user's direct permission because it is assigned directly to them.
When we call $user->hasDirectPermission('delete articles')
it returns true
,
but false
for $user->hasDirectPermission('edit articles')
.
This method is useful if one builds a form for setting permissions for roles and users in an application and wants to restrict or change inherited permissions of roles of the user, i.e. allowing to change only direct permissions of the user.
You can list all of these permissions:
// Direct permissions
$user->getDirectPermissions(); // Or $user->permissions;
// Permissions inherited from the user's roles
$user->getPermissionsViaRoles();
// All permissions which apply on the user (inherited and direct)
$user->getAllPermissions();
All these responses are collections of Konekt\Acl\Models\Permission
objects.
If we follow the previous example, the first response will be a collection with the 'delete article' permission, the second will be a collection with the 'edit article' permission and the third will contain both.
If we follow the previous example, the first response will be a collection with the delete article
permission and
the second will be a collection with the edit article
permission and the third will contain both.
This package also adds Blade directives to verify whether the currently logged in user has all or any of a given list of roles.
Optionally you can pass in the guard
that the check will be performed on as a second argument.
Test for a specific role:
@role('writer')
I am a writer!
@else
I am not a writer...
@endrole
is the same as
@hasrole('writer')
I am a writer!
@else
I am not a writer...
@endhasrole
Test for any role in a list:
@hasanyrole($collectionOfRoles)
I have one or more of these roles!
@else
I have none of these roles...
@endhasanyrole
<!-- or -->
@hasanyrole('writer|admin')
I am either a writer or an admin or both!
@else
I have none of these roles...
@endhasanyrole
Test for all roles:
@hasallroles($collectionOfRoles)
I have all of these roles!
@else
I do not have all of these roles...
@endhasallroles
// or
@hasallroles('writer|admin')
I am both a writer and an admin!
@else
I do not have all of these roles...
@endhasallroles
This package doesn't add any permission-specific Blade directives. Instead, use Laravel's native @can
directive to check if a user has a certain permission.
@can('edit articles')
//
@endcan
or
@if(auth()->user()->can('edit articles') && $some_other_condition)
//
@endif
When using the default Laravel auth configuration all of the above methods will work out of the box, no extra configuration required.
However, when using multiple guards they will act like namespaces for your permissions and roles. Meaning every guard has its own set of permissions and roles that can be assigned to their user model.
By default the default guard (config('auth.defaults.guard')
) will be used as the guard for new permissions and roles. When creating permissions and roles for specific guards you'll have to specify their guard_name
on the model:
// Create a superadmin role for the admin users
$role = RoleProxy::create(['guard_name' => 'admin', 'name' => 'superadmin']);
// Define a `publish articles` permission for the admin users belonging to the admin guard
$permission = Permission::create(['guard_name' => 'admin', 'name' => 'publish articles']);
// Define a *different* `publish articles` permission for the regular users belonging to the web guard
$permission = Permission::create(['guard_name' => 'web', 'name' => 'publish articles']);
To check if a user has permission for a specific guard:
$user->hasPermissionTo('publish articles', 'admin');
You can use the same methods to assign permissions and roles to users as described above in using permissions via roles. Just make sure the guard_name
on the permission or role matches the guard of the user, otherwise a GuardDoesNotMatch
exception will be thrown.
You can use all of the blade directives listed in using blade directives by passing in the guard you wish to use as the second argument to the directive:
@role('super-admin', 'admin')
I am a super-admin!
@else
I am not a super-admin...
@endrole
This package comes with RoleMiddleware
and PermissionMiddleware
middleware. You can add them inside your app/Http/Kernel.php
file.
protected $routeMiddleware = [
// ...
'role' => \Konekt\Acl\Http\Middleware\RoleMiddleware::class,
'permission' => \Konekt\Acl\Http\Middleware\PermissionMiddleware::class,
];
Then you can protect your routes using middleware rules:
Route::group(['middleware' => ['role:super-admin']], function () {
//
});
Route::group(['middleware' => ['permission:publish articles']], function () {
//
});
Route::group(['middleware' => ['role:super-admin','permission:publish articles']], function () {
//
});
Alternatively, you can separate multiple roles or permission with a |
(pipe) character:
Route::group(['middleware' => ['role:super-admin|writer']], function () {
//
});
Route::group(['middleware' => ['permission:publish articles|edit articles']], function () {
//
});
You can protect your controllers similarly, by setting desired middleware in the constructor:
public function __construct()
{
$this->middleware(['role:super-admin','permission:publish articles|edit articles']);
}
If you want to override the default 403
response, you can catch the UnauthorizedException
using
your app's exception handler:
public function render($request, Exception $exception)
{
if ($exception instanceof \Konekt\Acl\Exceptions\UnauthorizedException) {
// Code here ...
}
return parent::render($request, $exception);
}
You can create a role or permission from a console with artisan commands.
php artisan acl:create-role writer
php artisan acl:create-permission 'edit articles'
When creating permissions and roles for specific guards you can specify the guard names as a second argument:
php artisan acl:create-role writer web
php artisan acl:create-permission 'edit articles' web
In your application's tests, if you are not seeding roles and permissions as part of your test setUp()
then you may run into a chicken/egg situation where roles and permissions aren't registered with the gate (because your tests create them after that gate registration is done). Working around this is simple: In your tests simply add a setUp()
instruction to re-register the permissions, like this:
public function setUp()
{
// first include all the normal setUp operations
parent::setUp();
// now re-register all the roles and permissions
$this->app->make(\Konekt\Acl\PermissionRegistrar::class)->registerPermissions();
}
Two notes about Database Seeding:
It is best to flush the konekt.acl.cache
before seeding, to avoid cache conflict errors. This can be done from an Artisan command (see Troubleshooting: Cache section, later) or directly in a seeder class (see example below).
Here's a sample seeder, which clears the cache, creates permissions and then assigns permissions to roles:
use Illuminate\Database\Seeder;
use Konekt\Acl\Models\Role;
use Konekt\Acl\Models\Permission;
class RolesAndPermissionsSeeder extends Seeder
{
public function run()
{
// Reset cached roles and permissions
app()['cache']->forget('konekt.acl.cache');
// create permissions
Permission::create(['name' => 'edit articles']);
Permission::create(['name' => 'delete articles']);
Permission::create(['name' => 'publish articles']);
Permission::create(['name' => 'unpublish articles']);
// create roles and assign existing permissions
$role = Role::create(['name' => 'writer']);
$role->givePermissionTo('edit articles');
$role->givePermissionTo('delete articles');
$role = Role::create(['name' => 'admin']);
$role->givePermissionTo('publish articles');
$role->givePermissionTo('unpublish articles');
}
}
If you need to extend or replace the existing Role
or Permission
models you just need to
keep the following things in mind:
Role
model needs to implement the Konekt\Acl\Contracts\Role
contractPermission
model needs to implement the Konekt\Acl\Contracts\Permission
contract $this->app->concord->registerModel(Konekt\Acl\Contracts\Role::class, \App\Role::class);
Role and Permission data are cached to speed up performance.
When you use the supplied methods for manipulating roles and permissions, the cache is automatically reset for you:
$user->assignRole('writer');
$user->removeRole('writer');
$user->syncRoles(params);
$role->givePermissionTo('edit articles');
$role->revokePermissionTo('edit articles');
$role->syncPermissions(params);
$permission->assignRole('writer');
$permission->removeRole('writer');
$permission->syncRoles(params);
HOWEVER, if you manipulate permission/role data directly in the database instead of calling the supplied methods, then you will not see the changes reflected in the application unless you manually reset the cache.
To manually reset the cache for this package, run:
php artisan acl:cache:clear
It is equivalent to running
php artisan cache:forget konekt.acl.cache
TIP: If you are leveraging a caching service such as redis
or memcached
and there are other sites
running on your server, you could run into cache clashes. It is prudent to set your own cache prefix
in /config/cache.php
to something unique for each application. This will prevent other applications
from accidentally using/changing your cached data.
The Konekt AppShell Package is an extensible Business Application boilerplate that incorporates this Acl package and contains a UI for managing permissions, roles & users.
This package doesn't come with any screens out of the box. To get started check out this extensive tutorial by Caleb Oki.
Please see Changelog for more information what has changed recently.
composer test
Please see CONTRIBUTING for details.
You're free to use this package (it's MIT-licensed), but if it makes it to your production environment Spatie will highly appreciate you send them a postcard from your hometown, mentioning which of their package(s) you are using.
Their address is: Spatie, Samberstraat 69D, 2060 Antwerp, Belgium.
All received postcards are published on spatie.be.
This package is a modified variant of Spatie Permission package which is heavily based on Jeffrey Way's awesome Laracasts lessons on permissions and roles. His original code can be found in this repo on GitHub.
Special thanks to Alex Vanderbist who greatly helped with Spatie/Permission v2
.
The MIT License (MIT). Please see License File for more information.