So I was always in a confusion regarding roles and permissions in Laravel. But I have come across different issues but I thought why not write something since it would even help me also. So most popular way of implementing roles and permissions is using Laravel Permissions by Spatie. Its a great package and most are likely to use it. I wanted to understand things and tried with Gate and Policy which is one of my most favorite feature of Laravel Gate.We are using API here so if you dont know how to authenticate apis in Laravel using Sanctum please read my Making Api CRUD(Create,Read,Update,Delete) with Laravel 8 n API Authentication with sanctum learn things like generating tokens,authentication,authorization.
1.At first lets create a User Roles Model relationship
At first We will create a One to Many Relation with Roles and user.
At first create a Model,Factory,Controller for both Roles and Users
php artisan make:model Role fms this creates factories,migration and seeder and seeders too
For Users lets just make a Controller which is a resource Controller.
php artisan make:controller UserController resource
The user migrations and Models are given by default and now lets create a Role Controller
php artisan make:controller UserController resource
One to Many Relations
Here Role has Many Users and User BelongToRole
In Role.php
In User.php
Note Carefully
In migrations folder keep the Role migrations above User migrations
Role Migrations
This is how your Role migrations would look like
User Migrations
This is how your User migrations would look like
Run php artisan:migrate
2.Now lets create some dunny data with RoleSeeder
Go to database/seeder/RoleSeeder.php if you dont find any dont worry run php artisan make:seeder RoleSeeder that is you have not created seeder.
Here we will have 3 roles
1.Super Admin
2.Author
3.Editor
Now only run the RoleSeeder
php artisan db:seed class=RoleSeeder.This is the way if you only want to run a specific seeder.
If you have done everything correct you will see
You can also check your database it will appear like this
If you are using anything else there will be a different view.So now we have our roles.
3.Register Users with Roles
I am showing here the Controllers for both Login and Register
So create an AuthController aand also a RegisterRequest
php artisan make:request RegisterRequest
RegisterRequest
Here return true inside authorize function in RegisterRequest
In AuthController
Login method
LoginRequest
Logout Method
4.Register a User
At first let us register an Admin **
So here we already registered an admin.
**Now let us register a Author
Now let us Register a Editor
Here we see by assigning different role_id we have created 3 users with 3 roles
5.User Creation Permission with Gate
Here we will create some permissions with help of Gate. If you dont know about Gate please read a bit bout Gates in Laravel documentation.
i.Only Super Admin can create a user
Here at first in api.phpwe need to change register route a bit
Route::post('/register',[AuthController::class,'register']) >middleware('auth:sanctum');
InAuthServiceProvider.php
Here only user with role_id of 1 can create a user
AuthController.php
Here we can write
Sanctum middleware was not included cause we needed to create the first user.
Lets login with Super Admin credentials and generate a token
In Register authorization part of postman we need to select Bearer Token and just copy and paste the token
Body of postman
In case of no token
It shows unauthenticated
** Logging out with Token**
Logging in as an author trying to create a user
Now lets login as a Author
We see here a token is generated
With same token when we try to create a user
Body of request
Showing token
So here we can see anyone without Super Admin role_id no one cant create a user.While trying its shows unauthorized
ii.Only Admin can delete a user
In the same way an admin can delete a User.
We need to make a User Resource Controller
php artisan make:controller UserController resource
In api.php
in UserController.php
We are using the same gate like we did with
When we try to delete with author
It shows unauthorized
Login As admin and generate a new token
Using the token to delete user
So we can see user can only be deleted by admin.
5.Create,edit,delete posts
So we will create Posts and provide permissions based on roles
Make Controller and Model **
**php artisan make:model Post mc
php artisan make:request PostRequest
In PostRequest.php
Relation with User Posts OneToMany
In User.php
In Post.php
Migrations
PostRequest.php
** 6.Permissions to create,edit and delete post**
i.Admin and author can create posts only
In AuthServiceProvider.php
PostController.php
Admin sending a create request
Its created
Lets logout and create a new post with author
Token generated with Author
Posts created by author
Post successfully created
Lets logout and try to create post with Editor
Token created by editor
Create posts by Editor
'Editor cant create a post its says unauthorized'
ii. Editor and Admin can edit all posts,Author can only edit his own post
