Best way to use user roles

@viktort1t0 there is a quite popular package for that: https://github.com/spatie/laravel-permission

Have you seen the chapter on authorization.

Yes, I know that we have gates and policies for the access of the users. What I'm trying to get is if exists a best practice or something to use user roles.

For example, one way to implement user roles is by creating a table where you can define the different roles and create the policy for every role and then when a user is registered (or created) select the role available from this table and all the policies will apply to that user.

I don't know if there is a better way to do that and that is what I'm trying to get. If the way I describe is the best one available that's ok but maybe exist a better or different way to do it.

Yes that's one way, I have a comma separated role field in user table.

admin
user
bookkeeper
admin,bookkeeper
//etc

When checking is a required role matches a logged in users role, I use the array function explode, then if in_array.

If a match return true, if not false. But there are several ways, as long as what you pick secures the data.

Look at query scopes to ensure user is seeing their own data:

https://laracasts.com/discuss/channels/laravel/security-in-controller

also

https://laracasts.com/discuss/channels/general-discussion/authorization-policies-and-reducing-the-repitition

use a package. The framework provides basic policies but roles and permissions are best managed through a package

What do you mean by using a package??? and why is best with the package than directly using policies???

@viktort1t0 my advice to folks is:

If you are new to RBAC, then follow Taylor's instructions or use a good package.

However an experienced php developer can do custom RBAC since they know how.

Myself I programmed in Java technology years before doing php, so I know this stuff.

But if new to it.

Learn all basics very well before wanting to do any custom stuff. And The policies in laravel are fine.

I just prefer my custom authorization. I use authentication and roles, but I have my own custom classes to verify if a role matches a method requirement.

In fact I used to use separate tables for Admin verses users, actually @snapey is the one that got me using just one table.

A user is a user, go by role. So an admin is still a user with role "admin".

Edit: In the from scratch series there are a couple of free videos covering the basics of authorization.

https://laravel-news.com/two-best-roles-permissions-packages