Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

warpig's avatar
warpig
OP
5 years ago
Level 12

Roles and abilities

What's the norm on these things? Is it viable to have a bunch of abilities assigned to 1 role? Or 1 ability per role? What's your experience from the real world? My database has 1 role so far, "moderator", and 4 abilities, Create, Read, Update and Delete. This role has all 4 assigned. Are there cases where users only have 1 ability? What's the weirdest or what's the best practice out there, to set only 1 role? I might publish this one and since there will be an external person, a person I trust, I would have to assign roles but if I have just 1 role, would that do?

0 likes
3 replies
jlrdw's avatar

I've been doing this for years before laravel existed. I know and realize it comes with out-of-the-box authentication and authorization, however you would not believe how much easier it is just to protect each method the way you see fit.

I do use out of the box Authentication however I protect each method independently verifying a required role for a method matches the logged in user role.

Use Query Scopes to fine-tune who can do what, in other words an admin might be able to see all, but a user can only see their data.

And try not to use the user ID in a query string, instead use the authorized users ID.

Just a few thoughts on this.

So in pseudocode:

public function makeInvoice()
    {
        if (a required role of bkeep is not true here) {   // bkeep = bookkeeper
            return redirect('somewhere'); // whereever you redirect to 
        }
        // Rest of method here is accomplished if 
        // the logged in user has the required role of 'bkeep'.
    }

Edit: and yes there are users with multiple roles, but I only care about one role at a time.

1 like
warpig's avatar
warpig
OP
5 years ago
Level 12

Thanks, so always check for the role in methods, nothing like being too specific. I mean it won't hurt. Does this apply to all functions? or is it more leaned towards the User model? or more about the actual things that you can do inside the website, like restful api methods. So always keep in mind roles, and in that way I can customize or redirect to a route, depending on the case.

It totally makes sense. Instead of letting the user hit or view a Server message like a 413, or a 404 redirect somewhere or have a custom message for them. So taking care of "dead ends" and "loose ends"

jlrdw's avatar

Controller, because you call a model method from controller and return results so it's never called if the role does not pass the scrutiny.

I mainly apply RBAC ( role-based Access Control).

Like I said I use built-in authentication, but I have custom authorization.

What I usually tell people is until they're very familiar with laravel and authorization to learn the out-of-the-box first but for experienced programmers it's okay to use custom just not if you are new.

Just example of checking a role:

    public static function chkRole($role = null)
    {
        $userrole = Auth::user()->role;
        $checkrole = explode(',', $userrole);
        if (in_array($role, $checkrole)) {
            return true;
        }
        return false;
    }

Please or to participate in this conversation.