Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

jrdavidson's avatar

Roles Permissions Continuation

This post is for everybody but espcially @Ruffles and @kodeine.

I want to venture back for a second to recover a topic from a couple of weeks ago. When dealing with user roles and permissions I'm trying to figure out how I should be keeping them in my database.

https://laracasts.com/discuss/channels/general-discussion/user-rolesgroupspermissions

This question is in extension of that post. My current database schema is as follows.

http://www.laravelsd.com/share/SstkiH

My question is how should I be naming my permissions because lets say a lot of permissions like:

create-post
edit-post
view-post
update-post (seems redundant but I figure another line of protection against people trying to update that can't)
store-post (same reason as above)

And that's just my post/articles resource I have so many more. Is there an easier way or do I just need to continue on like I was doing and list them all out.

0 likes
4 replies
bobbybouwmann's avatar

So I had the same issue as you had. We decided that each user can have access to multiple routes. So we created some middleware for it, some tables and some models. I made a simple package for it, so I can reuse it in other packages. You might get some ideas looking at that

The package: https://github.com/bobbybouwmann/entry

So my routes are defined like this

// routes.php
Route::get('users', ['as' => 'users', 'uses' => 'UsersController@index']);
Route::get('user/create', ['as' => 'user.create', 'uses' => 'UsersController@create']);
Route::post('user', ['as' => 'user.store', 'uses' => 'UsersController@store']);
Route::get('user/{id}', ['as' => 'user.show', 'uses' => 'UsersController@show']);
Route::get('user/{id}/edit', ['as' => 'user.edit', 'uses' => 'UsersController@edit']);
Route::patch('user/{id}', ['as' => 'user.update', 'uses' => 'UsersController@update']);
Route::delete('user/{id}', ['as' => 'user.destroy', 'uses' => 'UsersController@destroy']);

In my database I have it stored like this

// roles table
id | role_name
1   Admin

// permissions table
id | route
1   users   
2   user.create
3   user.store
4   user.show
5   user.edit   
6   user.update
7   user.destroy

// permission_role table
route | role_id
users           1
user.create     1
user.store      1
user.show       1
user.edit       1
user.update     1
user.destroy    1

Note: You can use this package but it's more like an example for you ;)

1 like
jrdavidson's avatar

This is great. Thank you @blackbird, however why didn't you in your pivot table have permission_id instead of route?

bobbybouwmann's avatar

If you look closely to the functions that I call in my middleware I end up checking if the current route name is equal to a permission in the database. If I used the id I would have need any extra query to get the correct permissions and the check if the route names are the same ;)

In the example below $permissions is the current route name

public function hasPermission($permission)
{
    return (in_array($permission, $this->role->permissions->lists('name')));
}
1 like

Please or to participate in this conversation.