Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Lets say I have a company that can sell items, post information about themselves, and update users via a status all through their dashboard. This company is known as User A.
Now lets say I have a user who can buy things, search for a companies status/info etc all through their dashboard. This user is known as User B.
Utilizing Laravels 5.1 Auth/ACL (Roles Permissions) how can I...
Allow User A to give User B permissions (via email verification) to update User A content.
For example User B can search, purchase, and view updates from a business. Lets say there is a local business (User A) that User B wants to join. The business (User A) doesnt want to give User B full access to all of their information, so they assign User B permissions to manage certain things like update User A information. How can I allow User B to edit their own personal information while having the authentication/ authority to edit Users A information.
Please note this is the exact same setup Facebook has with their "Pages" feature. A facebook member can search pages, while having the ability to edit one if the privilege was given to them.
By adding roles, to the user table, could have one table for users, another for companies and set up relations that way.
Similar to a user can edit only there own blog. And there are thousands of blog tutorials out there.
It never hurts drawing out relations with pencil and paper first.
My approach to this problem is adding another column to the 'role_user' pivot table called assigner_id. My question now ... is it safe to allow one user to access another users info via their $id. In the example above User A assigns User B a role. In the role_user table (tutorial: https://laracasts.com/series/whats-new-in-laravel-5-1/episodes/16) User A $id will be saved to assigner_id. When User B logs in, they will be passed User A's $id. User B can now update specific information for User A based on roles and permissions. How safe is this method, as long as User A's $id is in a protected function?
This may be a helpful way to look at it...
User B can have the role of a standard user and a business with 1 email, and will only be able to access pages where the user's roles permit.
Please or to participate in this conversation.