Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
I'm not sure what is the correct way of adding new permissions and roles for laravel-permission package.
Should I add Role and Permission models, and then use
$role = Role::create(['name' => 'writer']);
$permission = Permission::create(['name' => 'edit articles']);
inside my models, or should I just create migrations that will contain the new roles and/or permissions and run those?
Also, if I do this using migration, what is the best way of running migrations on production environment? Using CI/CD pipeline, or some other way?
What I ended up doing on my environment where I ended up with more and more permissions over time was creating a functon in a seeder that runs over an array of groups and permissions, checks if there are any new ones and adds them or removes any it does no longer find. This works for me.
For all the other ones I make sure I know all the permissions I need in the first place and add it to a migration.
Would it be a good idea to create a controller for roles and permissions and views where admin user can just add/remove them as they like? Because I kinda have the hunch that the client may want to add additional roles/permissions as time goes by, that way I don't have to change the code every time they want to change them, no?
Well you could, but then you would have to create all the permissions in GUI after each install / updates and such which makes no sense, better that they already are there after a update / install.
But the roles and permissions get written in the database, so they wouldn't be lost on install/update (or am I missing something)?
On a install you would not have anything in the db (or at least in most cases) so here the user would have to create all of them. On a update you would have the existing ones, but if you introduced anything new you would have to give the user a list of permissions for him to start adding.
On initial deploy I do have a seeder that creates admin user and some basic roles and permissions.
But I do see your point. Say my client added the permissions on staging environment, they'd have to add them in production too, and if the list is long, this could be cumbersome.
Indeed, so again IMO, I would not go that way and instead do it all with seeders / migrations. But I like to keep stuff simple and "documentated".
Please or to participate in this conversation.