Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

reviewdevs's avatar

Which is better, Spatie Permissions & Roles or using Middlewares or Policies?

Hello, am trying to make something like Udemy as practice after finishing some courses here on Laracasts

I'm trying to fix a problem where I want to allow users who purchased a course to view it, if not, they get 401

I was thinking of two approaches, either using Policies combined with Roles and permissions

like saying

if user can view any course, then respond to him with the courses videos

else, check if user has this course in his purchased courses, then send him the course videos

else, unauthorized

that was the the Policies + roles & permissions approach

but i read that u can do so with Middlewares and it seemed easier to do it with middlewares from this article

https://justlaravel.com/middleware-laravel-content-restriction-user-role/

so i was wondering if someone could explain to me which is better and more scalable in the future

thanks a lot!

0 likes
4 replies
miguellima's avatar

@reviewdevs You can use both, like:

    public function index(User $currentUser)
    {
        if ($currentUser->hasRole('premium');) {
            return true;
        }
        return false;
    }
1 like
reviewdevs's avatar

I was thinking that Spatie would give me more flexibility along with Policies, like saying


// In CourseController

public function getAllVideos(User $user, Course $course) { 
    self.authorize('getVideos', $course);

    return $course->videos;
}

and then in a CoursePolicy.php file i'd say

public function getVideos(User $user, Course $course)
{
	return $user->hasRole('super-admin') || $user->hasRole('tutor') && $course->author->is($user) || $user->hasRole('learner') && $user->purchasedCourses->has($course);
}

this is more verbose and clear about the intent of what am trying to do

but am not sure if that respects the open closed principle because what if i wanted to make a new role like a subscribed user, i'd have to go to this function and edit it

but at the same time, if i wanted to add a new role and some permissions to it, i'd do that easily from a dashboard or something

however if I go with a middleware approach

i'd just say

public function handle($request, Closure $next)
{
    if ($request->user() && $request->user()->type != 'admin')
    {
        return new Response(view('unauthorized');
    }
    return $next($request);
}

and assign that middleware on some route

which is easier, but not can't be set from a dashboard

so that was confusing me and i thought of asking for some opinions and maybe some tips

1 like
davisdev's avatar

@reviewdevs that's a well-made argument. Was pondering the same kind of thing whether or not I should just use both functionalities for more flexibility and less boilerplate code on "front-end".

miguellima's avatar

Keep in mind on thing, you should write the best code you can, but remember that you will learn along the way to do things in a better way, or you are already doing it the best way possible. But you think others do better than you, that's normal.

My advice is, just focus on what you need now. Keep everything smooth and clean. No one knows everything they need.

Has far I can see you are doing good.

4 likes

Please or to participate in this conversation.