curly-deni / laravel-permission-model-attributes
Add permission-aware attributes and static checks to Eloquent models using Laravel's authorization policies.
Fund package maintenance!
curly-deni
Requires
- php: ^8.0
- illuminate/contracts: ^10.0||^11.0||^12.0
- illuminate/database: ^10.0||^11.0||^12.0
- illuminate/support: ^10.0||^11.0||^12.0
- spatie/laravel-package-tools: ^1.16
Requires (Dev)
- laravel/pint: ^1.14
README
Laravel Permission Model Attributes adds permission-aware properties to your Eloquent models using native Laravel authorization. It provides a convenient way to check and expose model-level permissions through dynamic attributes like updatable and deletable, based on policies or internal rules.
✨ Features
- ✅ Adds
updatableanddeletablemodel attributes - 🧠 Static permission checks:
create,read,update,delete - 🔐 Seamless integration with Laravel’s native authorization system (policies)
- ⚡ Attribute caching for performance
- 🧩 Optional interface for strict typing
📦 Installation
Install via Composer:
composer require curly-deni/laravel-permission-model-attributes
Publish the config file:
php artisan vendor:publish --tag="permission-model-attributes-config"
⚙️ Configuration
return [ 'create' => true, 'update' => true, 'delete' => true, 'read' => false, ];
Each flag enables permission checks for the corresponding action:
| Key | Description |
|---|---|
| create | Enables permission check via create() policy method |
| read | Enables permission check via read() policy method |
| update | Enables permission check via update() policy method |
| delete | Enables permission check via delete() policy method |
✅ Only the enabled actions will be checked. If disabled, permission checks are skipped entirely.
🛡 Policy Integration
The package automatically uses Laravel’s policy system. You must define policy methods only for the enabled actions.
✏ Define Policy Methods
class PostPolicy { public function create(User $user) { return $user->hasPermission('create-posts'); } public function update(User $user, Post $post) { return $user->id === $post->user_id; } public function delete(User $user, Post $post) { return $user->id === $post->user_id; } public function read(User $user) { return $user->hasPermission('read-posts'); } }
⚠️ Note: The
read()method accepts only theUserobject — no model instance is passed.
🚀 Usage
1. Add the Trait
use Aesis\PermissionModelAttributes\Traits\HasPermissionAttributes; class Post extends Model { use HasPermissionAttributes; }
2. (Optional) Implement the Interface
use Aesis\PermissionModelAttributes\Contracts\PermissionAttributes; class Post extends Model implements PermissionAttributes { use HasPermissionAttributes; }
3. Access in Code
$post = Post::find(1); if ($post->updatable) { // show edit button } if (Post::isCreatableStatic()) { // show "New" button }
📘 Trait Reference
| Method / Attribute | Type | Description |
|---|---|---|
updatable |
Attribute (bool) | Returns true if the model can be updated |
deletable |
Attribute (bool) | Returns true if the model can be deleted |
isUpdatable() |
Method | Instance-level permission check for update |
isDeletable() |
Method | Instance-level permission check for delete |
isCreatableStatic() |
Static | Class-level permission check for create |
isReadableStatic() |
Static | Class-level permission check for read |
isUpdatableStatic() |
Static | Class-level permission check for update |
isDeletableStatic() |
Static | Class-level permission check for delete |
👤 Author
📝 License
This package is open-sourced software licensed under the MIT license.