Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Hello,
I'm currently adding roles and permissions in an application.
Here is a short description of this application.
clients have trainings, employees, reports, contacts, ...
trainings have employees, documents and belong to some properties like category, state, place, ...
there are also complex pages (search, complex exports, ...) with datas from clients, trainings, ... on the same page
there are also some actions like exporting datas to Excel depending on several models
I'm using Spatie roles and permissions to manage the permissions. I have chosen to assign permissions only to roles (no direct permissions to users).
For the basic permissions on CRUD actions for categories, states, places, ...), it's quite easy to define the permissions, for example : view any, view one, create, update, delete.
But it's not easy for complex pages.
For example a page display a training : training identity, employees, financial informations, ...
How is it possible to organize the permissions with some hierarchical rules ?
For example :
a role allowed to view the trainings should automatically be allowed to view the clients
but it could be possible that the role isn't allowed to view the employees list for the clients, but allowed to see the training with the registered employees
Do you have any suggestions to organize the permissions ?
Thanks for your help.
V
You know how I like to keep things simple. Where you said:
a role allowed to view the trainings should automatically be allowed to view the clients
I would probably actually make a role named trainings_clients.
Or whatever name to allow the viewing of both. And use scopes or some if constructs to display the data. I have never used a package for RBAC or authorization.
@jlrdw Thank you for your answer ;).
I wanted to try this package from Spatie and now it's installed, effectively it's very easy to do the same by my own.
Well ... what would you suggest me if I need to define roles like Assistant, Member, ... with different permissions and not like trainings_clients ?
In fact trainings_clients is a set of granular permissions. So defining trainings_clients could be a role and Assistant, Member, ... could be super roles which group roles.
Is it better to define roles like Assistant, Member, ... or like trainings, clients, trainings_clients, ... ?
Furthermore what would be the best UI for the user ? An UI with the granular permissions could seem too difficult for some people (perhaps an advanced mode ?), so perhaps it would be better to have an easier UI. According to me, this needs to reflect the business logic.
@vincent15000 there is no issue with combining permissions with && or || just as you wrote in the text description.
Also, just as you said, only apply roles to people, also, only code your app using permissions, never roles.
@Snapey Hello, I have defined policies and the permissions are used inside the policies. So in the controllers and in the views, I'm using only policies ... except for some specific permissions like for example access to a page where there is no model, only in this case I'm using directly the permissions.
According to you it's not really necessary to define sets of permissions in the database ?
To improve the user interface, I have already thought about displaying a checkbox for a specific set of permissions (according to the business logic) and when checking it, I retrieve the related permission from a configuration file.
return [
'permissions' => [
'clients_and_trainings' => [
'view any client',
'view client',
'view any training',
'view training',
'update training',
],
],
];
Do you see some problems doing like this ? Is there a better way to group permissions ?
And if the user needs more flexibility to define the permissions, he can open the advanced mode and display all granular permissions.
According to you it's not really necessary to define sets of permissions in the database ?
Not really sure I get your question. I am saying code to permissions not roles. Group permissions with roles and assign roles to user.
Of course you will have screens and controller for assigning permissions to roles and roles to people.
@Snapey Hmmm ... I'm looking for a way to simplify the user interface so that admins can set their own roles.
I don't want to create a clients_and_trainings role, I want that admins can create Assistant role, Member role, Write role, Manager role, ... and for each role, he can set exactly what he needs.
And for example if the admin create an Assistant role and need to allow view any client, view client, view any training, view training, update training, he can only check clients_and_trainings chechbox instead of having to check the 5 granular permissions.
@vincent15000 Assigning roles or permissions is the easy part, having the code to work out the logic is the hardest.
If a role allows for more than one thing, then just allow in code to view X and Y.
If the role allows viewing only Y, then you have to code that.
I would look at query scopes for a lot of this.
And yes regardless of what other uses say, a query scope can return many combinations of data. They can be used in many ways, but not documented.
I learn more from looking at the code of the framework than the actual laravel documentation.
@vincent15000 yes, of course. Thats what I am saying.
your policies should ask if the user has permission to... not do they have x Role
But my original point was, for your complex views you might need to say can this person see trainings OR can they manage employees. You have to consider combinations of permissions.
Please or to participate in this conversation.