Roles and permissions in Laravel 5

Hi, I use https://github.com/cartalyst/sentry with L5. It exists a feature/laravel-5 Branch. I'm also a contributor. It works very nice and has all features out of the box. It also provides additional features such as user groups and additional security features:

• Configurable authentication (can use any type of authentication required, such as username or email)
• Authorization
• Activation of user (optional)
• Groups and group permissions
• "Remember me"
• User suspension
• Login throttling (optional)
• User banning
• Password resetting
• User data
• Interface driven - switch out your own implementations at will

Nowhere, I could find such an nice ACL package.

Easily add "cartalyst/sentry": "dev-feature/laravel-5" to your composer file.

Here`s Entrust for L5 -> https://github.com/micheleangioni/entrust Or use sentinel -> https://cartalyst.com/manual/sentinel/1.0

Hi @starptech thanks for the response, i will take a look into sentry. and @hostianer just wanted to confirm that all the package of cartalyst seem to be paid. I want to implement free packages. thanks for the reply :)

Entrust was open source last I checked.

If you need Roles i would go for a package.

These are the most famous roles & permission packages:

https://github.com/romanbican/roles

https://github.com/Zizaco/entrust/tree/laravel-5

https://cartalyst.com/manual/sentinel/2.0 Just Open Sourced

Been trying Sentry for the last week on a project I'm building. Seems to work OK.

I'm working with this package: https://github.com/caffeinated/shinobi/

The dev is also fast with responses and updates!

Laravel has its own Auth features. So you lack a role permission package. Confide + Entrust comes together. easy to use. Sentry / Sentinel is another handy package.

but I am on side of entrust with laravel basic authentication.

To follow up this older comments in this thread, Sentinel 2.0 is now open source and free:

https://cartalyst.com/manual/sentinel/2.0

@starptech

Are you aware of any good tutorials on this package. The docs seem pretty feature rich but I am more of a visual learner.

Any help would be great!

Sentinel is awesome, but I see that it is built in now :)

http://laravel.com/docs/5.1/authentication
http://laravel.com/docs/5.1/authorization

@tjhunkin not really :) it just solve small piece of the puzzle, SENTINEL give you a lot more

Long post incoming...

The new features look like they solve enough. It seems like it is basically the missing piece of the puzzle. You have authentication, authorization, throttling and parametric middleware coming from the framework. Packages are very nice and sometimes they solve cumbersome problems. However, I think that sometimes people are too quick to jump and search for a package these days even for things they could easily achieve on their own and with better flexibility.

Sentinel is nice and so are the other packages. My advice is to take some time and explore the framework. Give yourself time to know what you have at hand. Yes that includes spending some time on it, but don't think of it as lost time. It is time gained from avoiding future frustrations. If you want to use Sentinel or any other thing, go through the code. Make sure you are comfortable with how it is doing what it is doing and that it sits well on your project. Never let a tool define your project.

Laravel code is so well documented that you can read through it easily. Tons of small things that can make your life easier that maybe are not even in the general docs. Read through the docs, but do go through the API Docs every now and then when time allows.

I might have spent countless of hours trying to debug packages that do not play nice together, that do not play nice with Laravel, that do not do what they are supposed to do for reasons that are a total mystery even to their creators.

Use packages that do not try to do too much, that you understand the code and that the code is well documented. Packages should save you the typing, not the thinking. Furthermore, creating crucial dependencies on third party packages might provide challenges when you try to upgrade Laravel to the next version. I see many users going through packages and spending days to find a fix even to simple CORS packages are not doing what they want, when writing a CORS middleware yourself does not take more than 15 minutes. Yet they bang their heads against the wall trying to make the something they did not do make work for them at all costs.

There is nothing Sentry/Sentinel has that you cannot make it and twist it to your liking with the current tool set offered by Laravel. Before even thinking of any package, do yourself a favor and think whether you actually need one.

@belisar

Awesome post. So very very true, not only here but many other help sites it seems people wait days for an answer when, as you stated, you can code it yourself in less then an hour.

@belisar - I agree. One of our major offerings at work has heavy dependencies on Sentry throughout the code, and it held us back when we wanted to upgrade the project to Laravel 5. For what we use it for, a custom ACL system would have been better and easier to manage.

I've found this package fills this gap and provides roles for Laravel built-in authorize system: https://github.com/spatie/laravel-permission

The only thing I missed in those packages, is a way to put a policy or condition on every permission as a restriction, something like: allow authenticated user to modify posts Only if he is the post author or Only if he is in the same group as the author or Only if the post is not published ... etc

So I wrote a package that fills this gap by restricting user's role permission with a condition/policy, and it follows RBAC approach.

This is the package if any is interested http://github.com/thekordy/auzo

and another package that facilitates Laravel authorize work and provides many other tools for Laravel authorize such as authorization middleware, fields abilities, and fields validation rule that validates user authorization per field -> http://github.com/thekordy/auzo-tools

There are so many package built in Laravel to implement role and permission but spatie/laravel-permission package is awesome. Laravel 5.4 User Role and Permissions with Spatie Laravel Permission

@belisar u have said it all. Tnx for your post it actually very important for one to explore more of the functionalities at hand before going in for a package. A typical example was when I wanted to implement email verification and multiple social log in using socialite into my projects. I actually used the packages as my guide at a point to write my code looking at how they implemented theirs and not really to use those packages. Thumbs up