Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Just wondering if anyone has tactics to handle larger sets of permissions. Developing an app with 250 permissions and 20 roles (which will probably increase).
Using spatie/laravel-permissions with Policy classes is good so far, but as it gets more complex I think it will become harder to maintain. For example - each permission has a corresponding policy method that will check other business logic. So even if a user has a permission it doesn't mean they can do the thing - other logic has to be checked in the policy (that they have a relationship to the thing, that the thing has the right state etc).
Perhaps creating individual classes for each of those checks? Maybe could redirect the policy check to check individual classes instead of methods? How do other people organise complex permission checks?
I would probably do this sort of thing by role.
But use scopes to narrow down (fine tune) who can see what.
I have an example scope here, These are just examples only.
https://gist.github.com/jimgwhit/ed44a6c81815804f1ab910ce9eb88d84
A scope can be used with laravel built in gates and permissions, Spatie, or any custom RBAC.
I like "guarding" methods. A logged in used either has access or does not have access.
But special handling for admin via query scopes.
Please or to participate in this conversation.