Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Hi all,
I have been going through the roles and permissions video here: https://laracasts.com/series/whats-new-in-laravel-5-1/episodes/16
So users are assigned a role and roles are made up of a number of permissions. Fine. But what if I want to override a role and give a particular user a particular permission?
For example if my 'manager' role has the permissions 'add_users' and 'edit_users' but one particular customer has asked to be able to 'delete_users' too then this method seems a little restrictive. Correct me if I am wrong but I think I'd have to create a new role and assign the permissions just for the one customer that wants it.
So I was considering adding another pivot table to link up users to permissions. Then I though if I did that, there doesn't really seem much point in having the roles table at all.
Does anyone have any opinions/examples of the best practice for this?
Also worth noting that I know about some of the packages available but I'd like to do some stuff myself to help learn it!
Thanks!
In most applications, you wouldnt make exceptions like this. A user is a user and they should not have any admin privileges. If you find that some users can have additional permissions, you make a new role for them and assign that role permissions. If you start randomly assigning permissions to everyone, its going to get messy real fast, especially if you have a lot of users.
Roles are just a convenient way of grouping permissions - you don't need to use them if you don't want/need too :-)
Check the difference between RBAC and ACL, and where and why which should be used.
Thanks for all your answers. I guess it is fine to add another role just for that user, especially if it's going to be reused.
@zachleigh is right on the money. If you have a possibility of many user's requiring permissions it really does get messy fast trying to keep track who has access to what and updating as needed. If you have a small set of users (internal business app, personal site etc) it's not a huge deal. But imagine a big forum with hundreds of moderators, different admin levels etc users with just a bunch of permissions would almost be impossible to manage.
After thinking about this a little more, I've come full circle :)
Consider this scenario:
There are 2 roles: 'manager' and 'user'.
Manager can: 'invite_users', 'view_users', 'edit_users', 'delete_users'.
User can: 'view_users'
UserA signs up to the website and is assigned the role of 'manager'.
UserA invites UserB who gets added to the site with the role of 'user'.
UserA then invites UserC who is also assigned as a 'user'. However, UserA would like UserC to be able to delete users as well as view them. But UserC should not be able to edit users or invite users.
So, essentially UserC needs a new role 'UserWhoCanDelete'? But then I'd potentially need 'UserWhoCanEdit' and 'UserWhoCanDeleteAndEdit' etc.
Wouldn't it be better to allow UserA to edit UserC's permissions and check the specific permissions they require?
Then in the code I'd be doing something like:
Auth::user()->hasPermissionTo('delete_users');
rather than:
Auth::user()->hasRole('user_that_can_delete');
Or maybe there is a better way?
You can mix and match roles depending on the circumstance. Maybe in 90% of your app using the role makes sense as it covers all the functions, but there are corners where you would just check the permission directly. Don't try and shoe-horn one or the other - you'll drive yourself mad :-)
I think you're maybe looking at roles as direct mappings to permissions too. They are usually more like 'editor' (can create/edit/spam-flag any post), 'admin' (can do anything to anything), 'moderator' (can spam-flag posts) etc. If you think in real life - you have a manager, a doctor, a programmer - you don't have a role of 'personWhoCanEditCodeAndCommitToGitAnd...', 'personWhoCanPrescribeMedicineAndDoExaminationsAnd...' :-)
Please or to participate in this conversation.