Level 63
Have you tried the spatie package ?
https://spatie.be/docs/laravel-permission/v5/introduction
It is great to manage any type of role / permission in any situation.
May 30, 2022
7
Level 3
What package to use for roles and permissions, an user has many work spaces each workspace can have a different role?
As the title says, a logged in user might have 1 or more work spaces
Main WorkSpace (Role: owner)
Secondary WorkSpace (Role: admin)
How to limit user per work space? I have used laravel-permission of Spatie but it seems like it isn't a good fit.
Level 75
Use authentication for login. Use authorization to determine what a role can or cannot do. Use scopes as needed.
The "package" used doesn't matter if RBAC is done correctly.
2 likes
Level 63
@jlrdw What's the better way to do RBAC correctly ?
Level 75
@vincent15000 just an example:
-
Bob is an admin
-
Suzy is admin and does bookkeeping
-
Mary is a bookkeeper only
-
If Bob is logged in, Bob can only do admin stuff and all access to user stuff. But Bob cannot mess with bookkeeping.
-
If Suzy is logged in she can access admin stuff and bookkeeping and accounting stuff.
-
If Mary is logged in she cannot mess with admin stuff, but has access to bookkeeping and accounting stuff.
So I just check at method level if the logged in users role can or cannot access that method / function.
And use query scopes to let a user edit / view their own data or an admin can access all users data.
Each app will be different as to who can do what.
So in pseudocode:
public function editAccount() // just example method name
{
if (a required role of bkeep is not true here) { // bkeep = bookkeeper
return redirect('somewhere'); // whereever you redirect to if not authorized
}
// Rest of method here is accomplished if
// the logged in user has the required role of 'bkeep'.
}
Also another example I saw in a post:
public function update(Request $request, Post $post) {
if ($post->author !== auth()->user()->id || auth()->user()->cannot('edit posts'))
abort(404);// or redirect, or whatever action
}
//rest of method if all okay
}
In summary RBAC is at least 3 main steps:
- A login required
- An authorization implementation to determine what the logged in person with role can or cannot do
- Protection of URL and parameters, checking that the logged in users id matches the id used in a query
Each application will require unique tweaks in RBAC, no two apps are exactly the same.
2 likes
Level 63
@jlrdw Ok thank you, that's very interesting, I didn't hear about RBAC before. I just had a quick look at it on the web.
When I write policies and protect my controller methods with $this->authorize('update', $post), is it RBAC ?
Level 122
read the section on teams permissions
https://spatie.be/docs/laravel-permission/v5/basic-usage/teams-permissions#breadcrumb
Your workspace is the same as teams, where users can have different roles in different teams.
3 likes
Level 3
@Snapey I tried using it, when switching between workspaces it doesn't get the role it needs to.
Please or to participate in this conversation.