A package to help you write expressive defensive code in a functional manner

v2.2.57 2023-12-10 22:32 UTC



Readability Counts. In fact, Readability is the primary value of your code !!!

Quality Score code coverage Maintainability Imports Test StyleCI Latest Stable Version Daily Downloads Total Downloads Awesome Laravel Software License

🎀 Heyman continues where the other role-permission packages left off...

We have used CDD (Creativity Driven Development) alongside the TDD

Built with ❤️ for every smart laravel developer

Very well-tested, optimized, and production-ready!

We have tackled a lot of complexity behind the scenes, to provide you with a lot of simplicity.


composer require imanghafoori/laravel-heyman


  • PHP v7.0 or above
  • Laravel v5.1 or above


Here you can see a good example at:

Specially this file:

This is fork from result of tutorial series refactored to use the Heyman package.

Heyman, let's fight off zombies


Zombie Http Request =>


<= Laravel Heyman

A story:

Imagine your boss comes to you and says :

 Hey man !!!
 When you visit the login form,
 You should be guest,
 Otherwise you get redirected to '/panel',

Write the code for me, just now... But KEEP IN MIND you are not allowed to touch the current code. it is very sensitive and we do not want you to tamper with it. You may break it.

And you write code like this in a Service Provider boot method to implement what your boss wanted.


That is what this package does for you + a lot more...

Customizable Syntax:

You can alias methods like this if you do not like too much verbose syntax provided by default.

  • Alias Situations (ex. whenYouMakeView to view)
  • Alias Conditions (ex. youShouldBeGuest to beGuest)

You should do it in the boot method.

alias methods

Structural Benefits:

1- This way you can fully decouple authorization and a lot of guarding code from the rest of your application code and put it in an other place. So your Controllers and Routes become less crowded and you will have a central place where you limit the access of users to your application or perform Request validation.

2- In fact, when you write your code in the way, you are conforming to the famous "Tell don't ask principle."

You are telling the framework what to do in certain situations rather than getting information and decide what to do then.

Procedural code gets information then makes decisions. Object-oriented code tells objects to do things. — Alec Sharp

3- This approach is particularly useful when you for example write a package which needs ACL but you want to allow your package users to override and apply they own ACL (or validation) rules into your package routes...

And that becomes possible when you use laravel-HeyMan for ACL. The users can easily cancel out the default rules and re-write their favorite acl or validation stuff in a regular ServiceProviders.

Hey Man, that is Amazing stuff!

// This is written in package and lives in vendor folder, So we can not touch it.

To override that we use the forget method, within app/Providers/... :

public function boot() {
  // Cancels out the current rules
   // Add new rules by package user.
   HeyMan::whenYouHitRouteName('myPackageRoute')-> ... 

Hey Man, Should I Momorize all the Methods?!

You do not need any cheat sheet.

IDE Auto-completion is fully supported.


Hey Man, Where do I put these Heyman:: calls?

You may put them in AuthServiceProvider.php (or any other service provider) boot method.



You should call the following method of the HeyMan Facade class.

use Imanghafoori\HeyMan\Facades\HeyMan;
// or
use HeyMan;  // <--- alias

Again we recommend visiting this file:

Working heyman sample rules


HeyMan::  (situation) ->   (condition)   -> otherwise() -> (reaction) ;

1- Url is matched

HeyMan::whenYouVisitUrl(['/welcome', '/home'])->...   // you can pass an Array
HeyMan::whenYouVisitUrl('/admin/*')->...     // or match by wildcard
HeyMan::whenYouSendPost('/article/store')->   ...   
HeyMan::whenYouSendPatch('/article/edit')->  ...  
HeyMan::whenYouSendPut('/article/edit')->    ...     
HeyMan::whenYouSendDelete('/article/delete')-> ...

2- Route Name is matched

HeyMan::whenYouHitRouteName('')->...              // For route names
HeyMan::whenYouHitRouteName('welcome.*')->...                 // or match by wildcard

3- Controller Action is about to Call

HeyMan::whenYouCallAction('HomeController@*')->...          // or match by wildcard

4- A View file is about to render

 HeyMan::whenYouMakeView('article.editForm')->...     // also accepts an array
 HeyMan::whenYouMakeView('article.*')->...            // You can watch a group of views

Actually it refers to the moment when view('article.editForm') is executed.

5- Custom Event is Fired


Actually it refers to the moment when event('myEvent') is executed.

6- An Eloquent Model is about to save


Actually it refers to the moment when eloquent fires it's internal events like: (saving, deleting, creating, ...)

Note that the saving model is passed to the Gate of callback in the next chain call. so for example you can check the ID of the model which is saving.


HeyMan::  (situation) ->   (condition)   -> otherwise() -> (reaction) ;

After mentioning the situation, it is time to mention the condition.

1- Gates:

// define Gate
Gate::define('hasRole', function(){...});

Then you can use the gate:

HeyMan::whenYouVisitUrl('/home')->thisGateShouldAllow('hasRole', 'editor')->otherwise()->...;

Passing a Closure as a Gate:

$gate = function($user, $role) {
    /// some logic
    return true;
HeyMan::whenYouVisitUrl('/home')->thisGateShouldAllow($gate, 'editor')->otherwise()->...;

2- Authentication stuff:

HeyMan::whenYouVisitUrl('/home')->  youShouldBeGuest()    ->otherwise()->...;
HeyMan::whenYouVisitUrl('/home')->  youShouldBeLoggedIn() ->otherwise()->...;

3- Checking A Closure or Method or Value:

HeyMan::whenYouVisitUrl('home')->thisMethodShouldAllow('someClass@someMethod', ['param1' => 'value1'])->otherwise()->...;
HeyMan::whenYouVisitUrl('home')->thisClosureShouldAllow( function($a) { ... }, ['param1'] )  ->otherwise()->...;
HeyMan::whenYouVisitUrl('home')->thisValueShouldAllow( $someValue )->otherwise()->...;

4- Validate Requests:

    'title' => 'required', 'body' => 'required',

You can also modify the data before validation by calling beforeValidationModifyData().

$modifier = function ($data) {
  // removes "@" character from the "name" before validation.
  $data['name'] = str_replace('@', '', $data['name']);
  return $data;

        ->yourRequestShouldBeValid(['name' => 'required'])

5- Check points:

You can also declare some check points somewhere, within your application code:


And put some rules for it

HeyMan::whenYouReachCheckPoint('MyLane')->youShouldHaveRole('Zombie')-> ...
HeyMan::whenYouVisitUrl('home')->always()-> ...

Other things:

You can also use "always" and "sessionShouldHave" methods:

HeyMan::whenYouVisitUrl('home')->always()-> ...

Define your own conditions:

You can extend the conditions and introduce new methods into heyman API like this:

// Place this code:
// In the `boot` method of your service providers

HeyMan::condition('youShouldBeMan', function () {
   return function () {
       return auth()->user() && auth()->user()->gender === 'Man';

// or 

HeyMan::condition('youShouldBeMan', '\App\SomeWhere\SomeClass@someMethod');

Then you can use it like this:

HeyMan::whenYouVisitUrl('home')->youShouldBeMan()-> ...

Nice, isn't it ?!


HeyMan::  (situation) ->   (condition)   -> otherwise() -> (reaction) ;

1- Deny Access:

HeyMan::whenSaving(\App\User::class)->thisGateShouldAllow('hasRole', 'editor')->otherwise()->weDenyAccess();

An AuthorizationException will be thrown if needed

2- Redirect:

HeyMan::whenYouVisitUrl('/login')-> ... ->otherwise()->redirect()->to(...)     ->with([...]);
HeyMan::whenYouVisitUrl('/login')-> ... ->otherwise()->redirect()->route(...)  ->withErrors(...);
HeyMan::whenYouVisitUrl('/login')-> ... ->otherwise()->redirect()->action(...) ->withInput(...);
HeyMan::whenYouVisitUrl('/login')-> ... ->otherwise()->redirect()->intended(...);
HeyMan::whenYouVisitUrl('/login')-> ... ->otherwise()->redirect()->guest(...);

In fact the redirect method here is very much like the laravel's redirect() helper function.

3- Throw Exception:

$msg = 'My Message';

    ->weThrowNew(AuthorizationException::class, $msg);

4- Abort:

HeyMan::whenYouVisitUrl('/login')-> ... ->otherwise()->abort(...);

5- Send Response:

Calling these functions generate exact same response as calling them on the response() helper function: return response()->json(...);

HeyMan::whenYouVisitUrl('/login')-> ... ->otherwise()->response()->json(...);
HeyMan::whenYouVisitUrl('/login')-> ... ->otherwise()->response()->view(...);
HeyMan::whenYouVisitUrl('/login')-> ... ->otherwise()->response()->jsonp(...);
HeyMan::whenYouVisitUrl('/login')-> ... ->otherwise()->response()->make(...);
HeyMan::whenYouVisitUrl('/login')-> ... ->otherwise()->response()->download(...);

6- Send custom response:

namespace App\Http\Responses;

class Authentication
    public function guestsOnly()
        if (request()->expectsJson()) {
            return response()->json(['error' => 'Unauthenticated.'], 401);

        return redirect()->guest(route('login'));

Hey man, You see ? we have just an Http response here. So our controllers are free to handle the right situaltions and do not worry about exceptional ones.

More Advanced Reactions:

Hey man, You may want to call some method or fire an event right before you send the response back. You can do so by afterCalling() and afterFiringEvent() methods.

HeyMan::whenYouVisitUrl('/login')-> ... ->otherwise()->afterFiringEvent('explode')->response()->json(...);
HeyMan::whenYouVisitUrl('/login')-> ... ->otherwise()->afterCalling('someclass@method1')->response()->json(...);

Disabling Heyman:

You can disable HeyMan checks like this (useful while testing):



/// You may save some eloquent models here...
/// without limitations from HeyMan rules.


🙋 Contributing:

If you find an issue, or have a better way to do something, feel free to open an issue or a pull request.

⭐ Your Stars Make Us Do More ⭐

As always if you found this package useful and you want to encourage us to maintain and work on it. Just press the star button to declare your willing.

Star History

Star History Chart

More from the author:

Laravel Widgetize

💎 A minimal yet powerful package to give a better structure and caching opportunity for your laravel apps.

Laravel Terminator

💎 A minimal yet powerful package to give you opportunity to refactor your controllers.

Laravel AnyPass

💎 It allows you login with any password in local environment only.

Laravel Microscope

💎 It automatically checks your laravel application (new)

Great spirits have always encountered violent opposition from mediocre minds.

"Albert Einstein"