Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

Browse all series

Mastering Permissions in Laravel

User authorization is one of the most complex systems to build in your application, but also one of the most essential. From setting up role-based access and custom policies to exploring advanced permissions - and group-based authorization - you’ll gain the skills needed to build secure, scalable applications. Join me as I guide you through everything required to incorporate a robust user authorization system into your application.

Progress

Series Info

Episodes
17
Run Time
2h 39m
Difficulty
Advanced
Last Updated
Nov 25, 2024
Version
Latest
Play Series

Series Episodes

  1. Authorization Basics (2)

    1. The Admin Column

      The most simple user authorization system relies upon a single "admin" column in the users table. Let's look at how it works in this episode.

    2. Using Gates

      Discover how to use Gates to control access at a more granular level. We’ll explore setting up and defining Gates to enforce permission checks throughout your application.
  2. Building a Roles-Based System (4)

    1. Implementing Role-based Access System

      Role-based systems are extremely common in applications because they're relatively simple to implement and maintain, and they provide more flexibility than the admin column.

    2. Creating Middleware to Guard Routes

      Laravel doesn't have a built-in mechanic for authorizing role-based user access. So, let's create some middleware that provides functionality similar to Laravel's built-in authorization tools.

    3. Making Custom Directives

      We want an easy way to check for a user's role(s) in our views. So, let's create a custom @role directive to emulate Laravel's @can directive.

    4. Loading Roles Into Context

      Checking a user's roles relies upon a database query. So, multiple checks can cause multiple queries. Let's make it more efficient by loading the user's roles into the Context.
  3. Using Policies (5)

    1. Creating Policies

      Laravel's Policies allow us to organize authorization rules into a single class. In this episode, we'll define a policy for working with the Article model/resource.

    2. Defining and Using Abilities

      Policies use ability methods to enforce consistent permissions across our application. In this episode, we'll define ability methods that wrap our role-based authorization logic.

    3. Completing the Policy

      Once you start using a policy for a given model or resource, it makes sense to completely use the policy for user access. Let's fully implement our ArticlePolicy.

    4. Managing Roles

      Role-based systems typically have the ability to create, edit, and delete roles, as well as assign them to users. We'll start to implement those pieces in this episode.

    5. Protecting Roles

      It's not enough to be able to manage roles; we need to protect them from unintended changes. In this episode, we'll implement a system to better protect roles from being changed.
  4. Permissions/Claims and Groups (6)

    1. Transitioning to Permissions

      Role-based systems are very common and provide flexibility, but sometimes you just need more control. In this episode, we'll start to transition to a permission... or claims-based system. Policies make it really easy to do!

    2. Implementing Groups

      Managing the permissions that are assigned to users can be a tedious process, but we can alleviate that by using groups. In this episode, we'll start a group-based system.

    3. Assigning Users to Groups

      Groups are pointless if we can't assign users to those groups. So, in this episode, we'll write the ability to add users to groups. It's nothing new, really--we've done it before but with different entities.

    4. Loading Permissions Into Context

      We can check if a user is in a particular group, but ultimately, it boils down to whether a user has (or not) the permissions to access something. So, we'll load the permissions into the Context to make it easier to check them.

    5. Implementing Negative Permissions

      Negative permissions allow you to explicitly deny access, and they are essential to any permission-based system. This episode will show you how to implement negative permissions in your applications.

    6. Using Enums

      We're human, and since we use string literals throughout the application to check permissions and abilities, we will eventually mistype one of these very important values. Instead, we can refactor our code to rely on enums, which makes our code resistant to errors and easier to maintain.

Continue Learning

Frontend Mentor Challenge with Laravel thumbnail

Frontend Mentor Challenge with Laravel

With Simon Vrachliotis

In this series, we take a Frontend Mentor challenge and build it using Laravel and Tailwind CSS. Rather than chasing pixel-perfect replication, the focus is on pragmatic Laravel and backend logic. Along the way, we explore carts, session state, semantic markup, and UI polish.

  • 27 Episodes
Debugging Real-World Production Nightmares thumbnail

Debugging Real-World Production Nightmares

With Jeremy McPeak

Production bugs don't announce themselves politely. In this series, we confront ten nightmare scenarios using NightmareMart, an intentionally broken e-commerce app, demonstrating how to debug calmly and methodically when everything is on fire.

  • 10 Episodes
Motion For The Web thumbnail

Motion For The Web

With Simon Vrachliotis

Master the art of modern web animation, from subtle CSS transitions to full-blown JavaScript motion systems. This series starts with the fundamentals of smooth, accessible CSS motion, then builds through keyframes, scroll-linked animations, SVG techniques, and the Web Animations API, finishing with powerhouse libraries like Motion.dev, AnimeJS, and GSAP.

  • 43 Episodes
How to Build a Dev Team thumbnail

How to Build a Dev Team

With Matt Stauffer

Resources for learning to code are everywhere. The only hard part is choosing one. But when it comes to learning how to lead a development team, quality resources are incredibly scarce. This course fills that gap. It contains all of the lessons I learned while building the dev team at Tighten, a Laravel consultancy known for producing great work, but with an even better reputation as a fantastic place to work.

  • 12 Episodes
BaseCode Reloaded thumbnail

BaseCode Reloaded

With Jason McCreary

Years and years of hard-fought coding breakthroughs, distilled into sixteen essential lessons.In this course, I'll show you how to write code for humans, not just machines. Together, we’ll review powerful techniques, like naming, structuring, removing clutter, and spotting patterns. These aren’t abstract theories from a dusty book. They’re practical and proven habits that you can apply to your codebase right now. If you’ve ever opened an old file and struggled to understand your own code, this course was made just for you.

  • 16 Episodes