I want to create a RBAC system in laravel where a user can belong to several roles, and each role can have several permissions. The middleware should check if the user has a certain permission (within any of their roles) before it continues with the request.
I am able to implement a case where
A user belongs to one role which has many permissions
A user belongs to several roles which are used to determine access control (without the permissions bit)
I need to implement a user with multiple roles having multiple permissions. Any pointers?
If you are not interested in coding this yourself the a package like Laravel permissions would do exactly what you want.
https://github.com/spatie/laravel-permission
Otherwise you need to create pivot tables between the users ans their roles and the roles and their permissions
So you would have a user_roles table that would consist of user_id and role_I'd.
You would also have a role_permissions table which would have role_id and permission_id.
This would allow you to have many to many relationship and have many through relationship to get straight from user to role and role to user.
Hope that helps
As an overview. You need to have a roles table in your database which defines different types of user's your application can have , Like (Admin, Author, Editor, Moderator etc)
You also need to define a table role_user which contains data on which user has which role. This will be a Many to Many relationship since a user can have multiple roles.
Next you need to define a Middleware CheckRole which basically checks if user has a particular role. You can use this Middleware on different parts of your application to restrict authentication.
You might find this tutorial useful :
https://www.5balloons.info/user-role-based-authentication-and-access-control-in-laravel/
Related
I developed some systems with laravel before, but only with the default user doing the login, now I have to develop a new system with 3 types of users, each one connected to different tables in the database doing different things, in What it could The investigation can be done with roles connected to the users table and this does not help me and my database model is full of recursive relationships that I have been asked to avoid at all costs.
How can I manage different types of user by login without resorting to using roles?
I usually use laravel-permission. Simple and the doc is very clear. Regarding the database, laravel-permission has a roles table that consists of the roles and another table with permissions so you don't need to create a table for each role. Give it a try!
Since I had problem with Passport multi auth, I wonder is it necessary to have an admin guard (and an admins table) or it's better to use the default guard (and users table) for both admins and users with the help of role and permissions? Which is better?
That's a really hard question to answer without more information, but I'll try looking at it from a few perspectives:
You have an application that has users that can turn into admins (and vice-versa)
In this situation, I would probably have a single table that contains an is_admin column and use the column to validate whether the user can perform administration tasks (e.g. by using Laravel's gates). The downside to this is that if you wanted to create a third type of user (e.g. supervisor), you would need to change the model used.
You have an application where users are completely separate from administrators
If you control the administrators and everyone else is just a user, creating separate guards could be used, this does allow for a lot of flexibility in the future if you wanted to implement different authentication flows for both administrators and users (for example, using SAML). If you were to add a third type of user (e.g. supervisor), you could then just create another guard.
You have an application that can have different (customisable) permissions for each user
In this case I would recommend implementing a roles table, a permissions table, a role_permissions table and adding a column called role_id to the user table. This provides the most flexibility and is also usable with the Laravel's gate system, but is probably the most difficult to setup and hardest to maintain.
For the application I develop, we use a mixture of roles and guards. We use roles for users as each user gets a customisable set of permissions. We then use a separate guard for API users which inherit the permissions of the user they were authenticated with.
I plan to develop a system that has three user types (admin, business, personal). I want to have each user types information stored in a separate table for easy access and to reduce the number of blank fields (if they were all in one table).
Having looked at multiple Multi-auth packages available for Laravel, they all appear to be insisting on an approach with URLs like the following:
/admin/login
/business/login
/personal/login
Ideally, I would like to take an approach where the standard Laravel Auth /login can be used meaning that all users log in from the same page.
My knowledge of Laravel is limited so all and any help is appreciated.
The usual approach is to have one users table which has the ID/email/username (as primary key), login credentials and user types for all the users which will be logging into the system. The information however can be stored in separate tables for each type, referencing the foreign key.
After authenticating the user, then you can decide what to do with the user based on the user type.
If you store login credentials in multiple tables, that's data redundancy. Unless you want the same email/username to have more than one user type, but then during login, the user has to decide which user type they want to log into (maybe by selecting a dropdown option).
Update: about user roles
If you need to simply redirect users after logging in, use $redirectTo. Or if you need to decide what to do with the users depending on the roles after logging, you can make use of authenticated() method (add this method if it's not already there, it will overwrite the AuthenticatesUsers trait) inside your AuthController/LoginController.
Throughout your application, I'd suggest assigning middleware to route groups to restrict routes based on user roles. And yes, in your views and controllers you can use something like if(Auth::user()->hasRole('business')) when needed, but first you'll need to create the hasRole() method in your User model. If you feel it's getting complicated, you may try packages like laravel-permission and Entrust. I haven't tried them though :)
I'm building a Laravel site that has multi-tenant capability. Each tenant (which I'll call a "site," as in a physical location, from here on out) can have multiple users, and some users can be associated with multiple sites; hence I have a many-to-many relationship between my sites and users table, with the required intermediate site_user table to handle the relationships. So far so good.
I'm also using Entrust to handle three classes of users - owner, admin, and user. In theory, each user should have roles per site. That means that User 1 may have the admin role on Site A, but only the user role on Site B. If I follow the Entrust docs, I'm told to attach a role to a user. But that won't work for me, because if I associate User 1 with Site A and Site B and make him an admin he would then be an admin for Site A and Site B. Conceptually I feel like the role should be attached to the intermediate site_user table somehow, perhaps as another field on that table, but I'm not sure how I'd retrieve that field. Another possibility that came to mind was putting a many-to-many relationship between that intermediate table and the roles table, in effect creating a role_site_user table, but again I'm not sure how I'd actually retrieve that information. Has anyone ever tried what I'm suggesting and have a good way to generate per-tenant roles and permissions for a user?
since laravel's built in authentication uses user model? For example I want to separate the admin from the user so I will build two different layers in my application, the admin and the user. How can I achieve this to laravel since it's default auth uses users table and user model?
In my opinion, there's no real need to separate the two. Administrators and typical users can exist on the same database table, because they are both users but can have different permissions.
It seems like you're just looking for a typical permissions system (ACL). There's multiple packages available that can help you handle this.
Orchestra Auth
Sentinel
Entrust
Normally as an admin is still an user you give them a role column and let say you have : users, moderators and admins. Then you got role 0,1,2 for them. Just make it an enum and if you need to check in Laravel use : Auth::user()->role == 2 for example of admin rights :)