adexaja/rbac

Powerful RBAC package for Laravel 5.1

RBAC For Laravel 5.3 Less Model

Powerful package for handling roles and permissions in Laravel 5.3, _(*1)

Based on the Bican/Roles Package., _(*2)

So whats Different?

The difference is how Inheritance work. With Bican/Roles, permissions are inherited based on your highest role level., _(*3)

Instead this package uses a parent_id column to enable roles to be inherited from each other., _(*4)

This enables us to only pull permissions of roles that our users inherits, or that are directly assigned to the user., _(*5)

• Installation
  • Composer
  • Service Provider
  • Config File And Migrations
  • HasRoleAndPermission Trait And Contract
• Usage
  • Roles
    • Creating Roles
    • Attaching And Detaching Roles
    • Deny Roles
    • Checking For Roles
  • Permissions
    • Creating Permissions
    • Attaching And Detaching Permissions
    • Deny Permissions
    • Checking For Permissions
  • Inheritance
  • Entity Check
  • Blade Extensions
  • Middleware
• Config File
• More Information
• License

Installation

This package is very easy to set up. There are only couple of steps., _(*6)

Composer

Pull this package in through Composer (file composer.json)., _(*7)

{
    "require": {
        "php": ">=5.5.9",
        "laravel/framework": "5.1.*",
        "dcn/rbac": "~1.1.0"
    }
}

Run this command inside your terminal., _(*8)

composer update

Service Provider

Add the package to your application service providers in config/app.php file., _(*9)

'providers' => [

    /*
     * Laravel Framework Service Providers...
     */
    Illuminate\Foundation\Providers\ArtisanServiceProvider::class,
    Illuminate\Auth\AuthServiceProvider::class,
    ...

    /**
     * Third Party Service Providers...
     */
    DCN\RBAC\RBACServiceProvider::class,

],

Config File And Migrations

Publish the package config file and migrations to your application. Run these commands inside your terminal., _(*10)

php artisan vendor:publish --provider="DCN\RBAC\RBACServiceProvider" --tag=config
php artisan vendor:publish --provider="DCN\RBAC\RBACServiceProvider" --tag=migrations

And also run migrations., _(*11)

php artisan migrate

There must be created migration file for users table, which is in Laravel out of the box., _(*12)

HasRoleAndPermission Trait And Contract

Include HasRoleAndPermission trait and also implement HasRoleAndPermission contract inside your User model., _(*13)

use DCN\RBAC\Traits\HasRoleAndPermission;
use DCN\RBAC\Contracts\HasRoleAndPermission as HasRoleAndPermissionContract;

class User extends Model implements AuthenticatableContract, CanResetPasswordContract, HasRoleAndPermissionContract
{
    use Authenticatable, CanResetPassword, HasRoleAndPermission;

And that's it!, _(*14)

Usage

Creating Roles

use DCN\RBAC\Models\Role;

$adminRole = Role::create([
    'name' => 'Admin',
    'slug' => 'admin',
    'description' => '', // optional
    'parent_id' => NULL, // optional, set to NULL by default
]);

$moderatorRole = Role::create([
    'name' => 'Forum Moderator',
    'slug' => 'forum.moderator',
]);

Because of Slugable trait, if you make a mistake and for example leave a space in slug parameter, it'll be replaced with a dot automatically, because of str_slug function., _(*15)

Attaching And Detaching Roles

It's really simple. You fetch a user from database and call attachRole method. There is BelongsToMany relationship between User and Role model., _(*16)

use App\User;

$user = User::find($id);

$user->attachRole($adminRole); //you can pass whole object, or just an id

$user->detachRole($adminRole); // in case you want to detach role
$user->detachAllRoles(); // in case you want to detach all roles

Deny Roles

To deny a user a role and all of its children roles, see the following example., _(*17)

We recommend that you plan your roles accordingly if you plan on using this feature. As you could easily lock out users without realizing it., _(*18)

use App\User;

$role = Role::find($roleId);

$user = User::find($userId);
$user->attachRole($role, FALSE); // Deny this role, and all of its decedents to the user regardless of what has been assigned.

Checking For Roles

You can now check if the user has required role., _(*19)

if ($user->roleIs('admin')) { // you can pass an id or slug
    //
}

You can also do this:, _(*20)

if ($user->isAdmin()) {
    //
}

And of course, there is a way to check for multiple roles:, _(*21)

if ($user->roleIs('admin|moderator')) { // or $user->roleIs('admin, moderator') and also $user->roleIs(['admin', 'moderator'])
    // if user has at least one role
}

if ($user->roleIs('admin|moderator', true)) { // or $user->roleIs('admin, moderator', true) and also $user->roleIs(['admin', 'moderator'], true)
    // if user has all roles
}

As well as Wild Cards:, _(*22)

if ($user->roleIs('admin|moderator.*')) { // or $user->roleIs('admin, moderator.*') and also $user->roleIs(['admin', 'moderator.*'])
    //User has admin role, or a moderator role
}

Creating Permissions

It's very simple thanks to Permission model., _(*23)

use DCN\RBAC\Models\Permission;

$createUsersPermission = Permission::create([
    'name' => 'Create users',
    'slug' => 'create.users',
    'description' => '', // optional
]);

$deleteUsersPermission = Permission::create([
    'name' => 'Delete users',
    'slug' => 'delete.users',
]);

Attaching And Detaching Permissions

You can attach permissions to a role or directly to a specific user (and of course detach them as well)., _(*24)

use App\User;
use DCN\RBAC\Models\Role;

$role = Role::find($roleId);
$role->attachPermission($createUsersPermission); // permission attached to a role

$user = User::find($userId);
$user->attachPermission($deleteUsersPermission); // permission attached to a user

$role->detachPermission($createUsersPermission); // in case you want to detach permission
$role->detachAllPermissions(); // in case you want to detach all permissions

$user->detachPermission($deleteUsersPermission);
$user->detachAllPermissions();

Deny Permissions

You can deny a user a permission, or you can deny an entire role a permission., _(*25)

To do this, when attaching a permission simply pass a second parameter of false. This will deny that user that permission regardless of what they are assigned. Denied permissions take precedent over inherited and granted permissions., _(*26)

use App\User;
use DCN\RBAC\Models\Role;

$role = Role::find($roleId);
$role->attachPermission($createUsersPermission, FALSE); // Deny this permission to all users who have or inherit this role.

$user = User::find($userId);
$user->attachPermission($deleteUsersPermission, FALSE); // Deny this permission to this user regardless of what roles they are in.

Checking For Permissions

if ($user->may('create.users') { // you can pass an id or slug
    //
}

if ($user->canDeleteUsers()) {
    //
}

You can check for multiple permissions the same way as roles., _(*27)

Inheritance

If you don't want the inheritance feature in you application, simply ignore the parent_id parameter when you're creating roles., _(*28)

Roles that are assigned a parent_id of another role are automatically inherited when a user is assigned or inherits the parent role., _(*29)

Here is an example:, _(*30)

You have 5 administrative groups. Admins, Store Admins, Store Inventory Managers, Blog Admins, and Blog Writers., _(*31)

The Admins Role is the parent of both Store Admins Role as well as Blog Admins Role., _(*32)

While the Store Admins Role is the parent to Store Inventory Managers Role., _(*33)

And the Blog Admins Role is the parent to Blog Writers., _(*34)

This enables the Admins Role to inherit both Store Inventory Managers Role and Blog Writers Role., _(*35)

But the Store Admins Role only inherits the Store Inventory Managers Role,, _(*36)

And the Blog Admins Role only inherits the Blog Writers Role., _(*37)

Another Example:, _(*38)

Here, admin inherits admin.user, admin.blog, and blog.writer., _(*39)

While admin.user doesn't inherit anything, and admin.blog inherits blog.writer., _(*40)

Nothing inherits development and, development doesn't inherit anything., _(*41)

Entity Check

Let's say you have an article and you want to edit it. This article belongs to a user (there is a column user_id in articles table)., _(*42)

use App\Article;
use DCN\RBAC\Models\Permission;

$editArticlesPermission = Permission::create([
    'name' => 'Edit articles',
    'slug' => 'edit.articles',
    'model' => 'App\Article',
]);

$user->attachPermission($editArticlesPermission);

$article = Article::find(1);

if ($user->allowed('edit.articles', $article)) { // $user->allowedEditArticles($article)
    //
}

This condition checks if the current user is the owner of article. If not, it will be looking inside user permissions for a row we created before., _(*43)

if ($user->allowed('edit.articles', $article, false)) { // now owner check is disabled
    //
}

Blade Extensions

There are three Blade extensions. Basically, it is replacement for classic if statements., _(*44)

@role('admin') // @if(Auth::check() && Auth::user()->roleIs('admin'))
    // user is admin
@endrole

@permission('edit.articles') // @if(Auth::check() && Auth::user()->may('edit.articles'))
    // user can edit articles
@endpermission

@allowed('edit', $article) // @if(Auth::check() && Auth::user()->allowed('edit', $article))
    // show edit button
@endallowed

@role('admin|moderator', 'all') // @if(Auth::check() && Auth::user()->roleIs('admin|moderator', 'all'))
    // user is admin and also moderator
@else
    // something else
@endrole

Middleware

This package comes with VerifyRole and VerifyPermission middleware. You must add them inside your app/Http/Kernel.php file., _(*45)

/**
 * The application's route middleware.
 *
 * @var array
 */
protected $routeMiddleware = [
    'auth' => \App\Http\Middleware\Authenticate::class,
    'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class,
    'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class,
    'role' => \DCN\RBAC\Middleware\VerifyRole::class,
    'permission' => \DCN\RBAC\Middleware\VerifyPermission::class,
];

Now you can easily protect your routes., _(*46)

$router->get('/example', [
    'as' => 'example',
    'middleware' => 'role:admin',
    'uses' => 'ExampleController@index',
]);

$router->post('/example', [
    'as' => 'example',
    'middleware' => 'permission:edit.articles',
    'uses' => 'ExampleController@index',
]);

It throws \DCN\RBAC\Exception\RoleDeniedException or \DCN\RBAC\Exception\PermissionDeniedException exceptions if it goes wrong., _(*47)

You can catch these exceptions inside app/Exceptions/Handler.php file and do whatever you want., _(*48)

/**
 * Render an exception into an HTTP response.
 *
 * @param  \Illuminate\Http\Request  $request
 * @param  \Exception  $e
 * @return \Illuminate\Http\Response
 */
public function render($request, Exception $e)
{
    if ($e instanceof \DCN\RBAC\Exceptions\RoleDeniedException) {
        // you can for example flash message, redirect...
        return redirect()->back();
    }

    return parent::render($request, $e);
}

Config File

You can change connection for models, slug separator, models path and there is also a handy pretend feature. Have a look at config file for more information., _(*49)

More Information

This project is based on Bican/Roles., _(*50)

License

This package is free software distributed under the terms of the MIT license., _(*51)

I don't care what you do with it., _(*52)

Contribute

I honestly don't know what I'm doing. If you see something that could be fixed. Make a pull request on the develop branch!., _(*53)