Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

jrdavidson's avatar

Deleting Users With Like Roles

I have a list of 50 users. Each user has a role of 1 through 5 (basic-user, editor, site-admin, site-owner, webmaster). I also have a HTML table that lists ALL users with actions such as an edit and delete button. This users.index blade file can only be viewed by site-admins, site-ower, and webmaster.

What I would like to achieve is when the site-admin is viewing this page he can only delete users that have a role LESS than him AND not not his user account so I would like that icon to not display for that user row. This also means he cannot delete a user that also has the same role as him.

The same would be true for site-owners and webmasters. They can delete any account that is less than their own role but not delete the own.

How can this be accomplished?

0 likes
10 replies
ohffs's avatar
@foreach ($users as $user)
  @if ($user->role_id < Auth::user()->role_id and $user->id != Auth::user()->id)
    <show delete button>
  @endif
@endforeach

? You could tidy it up in various ways to make it read cleaner, but I guess that's the basic gist :-)

1 like
jrdavidson's avatar

Can I put that in a guard or would that not be the best way? That way I can do @can in the view.

ohffs's avatar

Sure - it'd read more cleanly :-)

jrdavidson's avatar

@ohffs What if in my roles and permissions I have my pivot table where it says what he role can do and lets say site-admin, site-owner, webmaster all have the ability to delete a post however I have t pass in specific role again to see if they can delete the user.

As of right now this is what is currently inside my AuthServiceProvider. I'm not sure if I can extra that to its policy or not but how to add whether or not a user who MIGHT have the permission to delete a user but then to find out if they really can depending on the current user in the list.

public function boot(GateContract $gate)
    {
        parent::registerPolicies($gate);

        foreach($this->getPermissions() as $permission) {
            $gate->define($permission->name, function($user) use ($permission) {
                return $user->hasRole($permission->roles);
            });
        }

        $gate->define('delete-user', functionf($user) {
            
        });
    }

    protected function getPermissions()
    {
        return Permission::with('roles')->get();
    }
ohffs's avatar

There's no problem adding extra 'manual' gate's. Or do you mean you might have a permission/role that might conflict with it?

jrdavidson's avatar

Maybe this will help.

I'm currently trying to find out if you can add a Gate Fascade to a Policy or if there's a better way to handle my situation.

I have a list of users with each having ONE role and each role can have MANY permissions. All of this is stored in my database with the correct relationships established in my models.

I am trying to show or not show a delete icon based on whether a user can delete another user in my HTML list of users.

Example:

Lets say user1 has a role of 3 which is a site-admin. Site admins have the permission to delete users, however they are NOT able to delete other users who have the same role as them or a role higher than theirs.

When user1 accesses the /users uri they are shown the HTML table of users in the database and as the last table column are the actions that can be performed on the row for that user row. The available action icons are edit and delete. For the delete icon I want a policy to be ran to make sure than the authenicated user can delete users first but also pass the current row's user object and see if the user has the same role id or higher in which case it will NOT display that icon.

<?php

namespace App\Policies;

use App\User;

use Illuminate\Auth\Access\HandlesAuthorization;

class UserPolicy
{
    use HandlesAuthorization;

    /**
     * Create a new policy instance.
     *
     * @return void
     */
    public function __construct()
    {
        //
    }

    public function delete(User $user) {
        return Auth::user()->role->permission and $user->role_id < Auth::user()->role_id and $user->id != Auth::user()->id;
    }
}

/reources/views/partials/tables/actions.blade.php

<td class="actions">
    <a href="{{ route('users.edit', $user->id) }}" class="btn btn-sm btn-icon btn-pure btn-default" data-toggle="tooltip" data-original-title="Edit"><i class="icon wb-edit" aria-hidden="true"></i></a>
    <a href="{{ route('users.show', $user->id) }}" class="btn btn-sm btn-icon btn-pure btn-default" data-toggle="tooltip" data-original-title="Show"><i class="icon wb-eye" aria-hidden="true"></i></a>
    @can('delete-user', $user)
        <form class="inline" method="POST" action="{{ route('users.delete', [$user->id]) }}">
            {{ method_field('DELETE') }}
            <input type="hidden" name="_token" value="{{ csrf_token() }}">
            <button type="submit" class="btn btn-sm btn-icon btn-pure btn-default on-default" data-toggle="tooltip" data-original-title="Delete"><i class="icon wb-trash" aria-hidden="true"></i></button>
        </form>
    @endcan
</td>
ohffs's avatar

Have you tried doing it? I'm not sure if you have a problem :-)

jrdavidson's avatar

Are you saying I can do...

return Gate::denies('delete-user') and $user->role_id < Auth::user()->role_id and $user->id != Auth::user()->id;
jrdavidson's avatar

Its not showing the delete icon at all as the webmaster.

Please or to participate in this conversation.