What’s your take on single role vs multiple roles per user?

Each app will be different. An example is Tricare (Humana Military). They have:

• patient portal login
• Providers login
• Government login

So if a doctor happens to be a patient also (has Tricare), they have to login using the patient portal as a patient.

But most general apps, just one users table with roles (multiple as required). A real example of one I had is:

• Bob is an admin

• Suzy is admin and does bookkeeping

• Mary is a bookkeeper only

• If Bob is logged in, Bob can only do admin stuff and all access to user stuff. But Bob cannot mess with bookkeeping.

• If Suzy is logged in she can access admin stuff and bookkeeping and accounting stuff.

• If Mary is logged in she cannot mess with admin stuff, but has access to bookkeeping and accounting stuff.

So I just check at method level if the logged in users role can or cannot access that method / function.

And use query scopes to let a user edit / view their own data or an admin can access all users data.

So in pseudocode:

public function some_bookkeeping_function()
    {
        if (a required role of bkeep is not true here) {   // bkeep = bookkeeper
            return redirect('somewhere'); // whereever you redirect to if not authorized
        }
        // Rest of method here is accomplished if 
        // the logged in user has the required role of 'bkeep'.
    }

Again just examples.

Also a Spatie example I saw:

public function update(Request $request, Post $post) {
    if ($post->author !== auth()->user()->id || auth()->user()->cannot('edit posts'))
        abort(404);// or redirect, or whatever action 
    }
    //rest of method if all okay
}

One exception, not shown is if admin wants to only see their data and not all, you could have a toggle (radio). But I just check in the background if the logged in user can or cannot do something.

So my take on multiple roles, yes some people will have more than one role. I basically:

• Use authentication to require login
• Authorization to determine who can and cannot do something

I know most use an added role table, but I just use a comma separated list for roles. I can do something like:

    public static function chkRole($role = null)
    {
        $userrole = Auth::user()->role;
        $checkrole = explode(',', $userrole);
        if (in_array($role, $checkrole)) {
            return true;
        }
        return false;
    }

But the main thing is, each app is different, and may even have certain requirements.

One more example is the State of Texas. The employee section was a different login than the admin section. So if a supervisor was logged in, and had to take a general training online lesson, they would have to log out and back in as an employee for that portal.

But there is a big difference in a general business app, and a very large enterprise type app.

Just opinions.

@davorminchorov It’s not a matter of preference or weighing up pros and cons; it’s what your business logic dictates.

If your business logic dictates a user should only have one role then go with single roles. If your business logic dictates that a user can have multiple roles then go with multiple roles.

For the checking in “applications” you can then check the role(s) using middleware. If a user can have multiple roles then you could take a similar approach to Passport where you can check if a user has one of any, or if a user has all of the specified roles:

// Check user has at least one of the specified roles
// Will allow request if user has either foo or bar role
$this->middleware('roles:foo,bar');

// Check user all of the specified roles
// Will only allow request if user has both foo and bar roles
$this->middleware('role:foo,bar');

Almost all of the projects I've worked on had users with multiple roles. Key point is to make it simple and not include unnecessary packages unless you absolutely need every feature that package offers.

The only thing I needed to do in most of those projects is just to add few methods to the User class like isAdmin, isManager, isEmployee, and just handle authorization with policies.

Like I said. Keep It Simple Stupid.

most of my projects have simple roles, but occasionally more complexity is needed and there I use the Spatie permissions package.

The best way I have found to use it is to create permissions for all the controlled functions, then just check if the user can perform that function.

For instance a permission could be delete users (permission 'users.delete') and the code only needs to check if I have that permission.

I could have been assigned that permission by having a role which grants it. I have admin views that create roles, assign permissions to roles and then assigns roles to users. I would always go with the ability to assign multiple roles to a user since there is not really any downside to restricting it.