Laravel User Permissions based on their roles

I have sales_invoice table, I want to be able to read all sales invoices made by all system users if my user is super admin. but if my user is not super admin, i want to be able to read only sales made by himself.

User can have many sales_invoice. Sales_invoice belongs to User.

LaryAI

1 year ago

Level 58

To implement user permissions based on roles in Laravel, you can use policies or directly apply conditions in your query. Here's a simple approach using Eloquent to achieve the desired functionality:

Define User Roles: Ensure that your users table has a column to define roles, for example, role. You might have roles like super_admin and user.
Query Logic: When fetching sales invoices, check the user's role and adjust the query accordingly.

Here's a code example to demonstrate this:

// Assuming you have a User model and a SalesInvoice model

use App\Models\SalesInvoice;
use Illuminate\Support\Facades\Auth;

public function getSalesInvoices()
{
    $user = Auth::user(); // Get the currently authenticated user

    if ($user->role === 'super_admin') {
        // If the user is a super admin, retrieve all sales invoices
        $salesInvoices = SalesInvoice::all();
    } else {
        // If the user is not a super admin, retrieve only their sales invoices
        $salesInvoices = SalesInvoice::where('user_id', $user->id)->get();
    }

    return $salesInvoices;
}

Explanation:

Role Check: The code checks the role of the authenticated user. If the user is a super_admin, it retrieves all sales invoices. Otherwise, it filters the sales invoices to only those created by the user.
Eloquent Relationships: Ensure that your SalesInvoice model has a relationship defined to the User model, like so:
```
// In SalesInvoice model
public function user()
{
    return $this->belongsTo(User::class);
}
```
Authentication: This example uses Laravel's built-in authentication to get the current user with Auth::user().

This approach is straightforward and leverages Laravel's Eloquent ORM to handle the database queries efficiently. If your application grows more complex, consider using Laravel's authorization features like Gates and Policies for more granular control.

jlrdw

1 year ago

Level 75

Have you looked at the authorization chapter?

Or the blog by @martinbean https://martinbean.dev/blog/2021/07/29/simple-role-based-authentication-laravel/

Also him, me, and others have given examples in past post of RBAC.

1 like

martinbean

1 year ago

Level 80

I have sales_invoice table, I want to be able to read all sales invoices made by all system users if my user is super admin. but if my user is not super admin, i want to be able to read only sales made by himself.

@yonka I’d use a local scope to, well, scope the query based on the user given.

On your SalesInvoice model, you could add a scopeForUser class that conditionally applies a where clauses based on the given user’s role(s):

class SalesInvoice extends Model
{
    public function scopeForUser(Builder $query, User $user)
    {
        // Return unmodified query (all records) if user is super-admin
        if ($user->isSuperAdmin()) {
            return $query;
        }

        // Otherwise, filter records to those owned by given user only
        return $query->where('user_id', '=', $user->getKey());
    }
}

Now, you can fetch a list of sales invoices and it will either retrieve all invoices if the user is a super-admin, or filter them to only the given user’s invoices if they’re not a super-admin:

$salesInvoices = SalesInvoice::query()->forUser($request->user())->paginate();

1 like

Please or to participate in this conversation.