Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

ovidiu_dtp's avatar

Role based resources management

The way I am doing the management of resources with access based on roles feels a bit clumsy. I would appreciate a tutorial about the Laravel way of doing it. Also, how you deal with permissions... This is one of the most important things is a complex app. It would be nice if in laracast index you could find something about the word "role" or "permission"

0 likes
4 replies
JoshWilley's avatar

In our application, we accomplish roles/permissions by looking at a combination of the URI and HTTP Method. We feel this gives us the greatest flexibility.

For example, here is our table structure:

Actions Table

  • name
  • description
  • path
  • method (get, post, put, patch, delete)
  • recursive (explanation further down)

Roles Table

  • name
  • description

Role/Action Pivot Table

  • action_id
  • role_id

User/Role Pivot Table

  • role_id
  • user_id

With this structure, the "Roles" act as a grouping mechanism for actions that the user can perform.

A typical action may look something like this:

Name: Administrator

Description: Access to the dashboard.

Path: /admin

Method: GET

Recursive: 0 (false)

This action would be assigned to a Role, which would then be assigned to a user. If this was the only action the user had, they would only be able to access the "/admin" URI with a GET request.

Explanation of the "recursive" field:

I truly believe this is the secret sauce to our authentication system. It's very simple, but gives tremendous flexibility.

Using the same example as above:

Name: Administrator

Description: Access to the dashboard.

Path: /admin

Method: GET

Recursive: 1 (true)

Now, just by changing the recursive field to true, the user can access any URI under "/admin" recursively.

For example, the user would now be able to access all of the following URIs:

  • /admin
  • /admin/settings
  • /admin/content/1/edit
  • /admin/some/other/page/it/does/not/matter/how/far/you/go

You get the idea..

Just another few examples of the flexibility this provides:

Name: Content Administrator

Description: Access to create new content in the dashboard.

Path: /admin/content

Method: POST

Recursive: 0 (false)

Name: Super User

Description: Complete and total access

Path: /

Method: (NULL)

Recursive: 1 (false)

By leaving the method null, they are allowed to perform any HTTP request.

Obviously there is a ton of logic going on under the hood, but I hope this gives you some ideas about how to handle authentication.

2 likes
ovidiu_dtp's avatar

This is more or less how I do it. But I was wondering if there is a smarter pattern that can be used, especially when dealing with multiple roles, each with its own functions and permissions. When you do not have incremental increase in permissions, but custom ones for each role... Is there a design pattern dealing with this?

ovidiu_dtp's avatar

In fact, reading it again, it is not how I do it... I missed the recursive part of things. Is interesting. But it forces you to have your routes organized in a specific way, and when you have a lot of routes, that can be a problem. Also, when you have a lot of roles, it can be a problem.

I have a lot of if's to deal with my access. I know now that it is a code smell, but I have a hard time changing the way I do things. Legacy code is hard to change.

Please or to participate in this conversation.