Level 102
I don't see why not. They can only be changed in code (php), meaning users can't change them.
The important part is just to make sure to check for these properly using gates :)
1 like
Aug 18, 2020
6
Level 63
Is it secure to define roles in a config file ?
Hello,
I have to affect some roles to the users. I know the spatie package, but it's not necessary for me.
I ask myself about security.
Is it secure to define some roles in a roles.php file in the config folder ?
Like this one ?
<?php
return [
'ADMIN' => [
'title' => 'Administrateur',
'code' => 1,
],
'SUPERADMIN' => [
'title' => 'Super-Administrateur',
'code' => 2,
],
'AUTHOR' => [
'title' => 'Auteur',
'code' => 3,
],
'PLAYER' => [
'title' => 'Joueur',
'code' => 4,
],
'default' => 4,
];
Or is it better to have a role model (but not necessary for me because there will never be other roles and there is no need for the admin to manage / add / ... the roles from the app) ?
Thanks for your answer.
Vincent
Level 63
Thanks I wanted to test it via middlewares. I don't very well the difference between the guards and the policiers. I frequently use middlewares and policies, never guards.
Is the use of guards a better pratice ?
Level 7
Middleware works fine. If you want peace of mind, write tests and assert against response code
Level 75
I know you won't a config file, but curious why not a roles table.
Level 102
Same thing, different ways of implementing. A policy is just a class for a gate that is used for a specific resource :)
Gates provide a simple, Closure based approach to authorization while policies, like controllers, group their logic around a particular model or resource.
1 like
Level 63
@jlrdw Why not a roles table ? The only reason is because I don't need to change the roles system.
Please or to participate in this conversation.