This package is abandoned and no longer maintained. The author suggests using the spatie/laravel-permission package instead.

Eloquent Guardian is a simple permissions system for your users. While there are many other packages for permissions, this one solves everything in the most eloquent way.

1.5.1 2019-03-01 09:16 UTC

This package is auto-updated.

Last update: 2021-02-27 11:13:57 UTC


Build Status codecov StyleCI Latest Stable Version Total Downloads Monthly Downloads License


This package is no longer maintained

Migrate to the other existing permissions packages that bring rich-features like Roles:

Eloquent Guardian

Eloquent Guardian is a simple permissions system for your users. While there are many other packages for permissions, this one solves everything in the most eloquent way.


Install the package:

$ composer require rennokki/guardian

If your Laravel version does not support package discovery, add this line in the providers array in your config/app.php file:


Publish the config file & migration files:

$ php artisan vendor:publish

Migrate the database:

$ php artisan migrate

Add the HasPermissions trait to your Eloquent model:

use Rennokki\Guardian\Traits\HasPermissions;

class User extends Model {
    use HasPermissions;

Types of permissions

  • String Type is just a string, it's not related to any model. It is good for permissions that holds accessing abilities or features.
  • Global Type is related to a model, but not to a specific one. It can control any model with any ID if set.
$user->allow('edit', Post::class);
  • Global Specific Type is related to a specific model. It cannot control any other model than this specific one.
$user->allow('edit', App\Post::class, 'post_id_here');

Checking permissions

You can check permissions within the model using can(), cannot() or cant().

$user->cant('sell.products'); // alias to cannot()

If your user has a permission for an action on a model, it will have access to any model passed with any ID.

$user->allow('view', \App\Flight::class);
$user->can('view', \App\Flight::class, 1); // true, can view flight with ID 1

Allowing and Unprohibiting permissions

Allowing or Unprohibiting produces a grant access to that permission.

$user->unprohibit('cloning'); // same as allow

Disallowing and Prohibiting permissions

Disallowing or Prohibiting permissions can be done whenever. The result will always be the same: a denied access.

$user->prohibit('commenting'); // same as disallow

Global Type over Specific Type

Let's say you have a Post class and the user is only allowed to edit or delete only his own posts. Using this way, whenever you check for a Global Type, it will return false, but not if you check for Specific Type.

$user->allow('edit', Post::class, 'his_post_id');
$user->allow('delete', Post::class, 'his_post_id');

$user->can('edit', Post::class); // false
$user->can('edit', Post::class, 'his_post_id'); // true

If you allow the user to edit the Post::class, it will be able to edit any class, with any ID.

$user->allow('edit', Post::class);
$user->can('edit', Post::class, 1); // true


You can use the methods within the model as-is, or you can use a middleware to filter permissions for the current authenticated user.

For this, you should add the middleware to your $routeMiddleware array from app\Http\Kernel.php

'guardian' => \Rennokki\Guardian\Middleware\CheckPermission::class,

You can use it in your routes to filter permissions automatically and throw specific exceptions when something occurs.

  • String Middleware
Route::get('/admin', 'AdminController@ControlPanel')->middleware('guardian:access.dashboard');
  • Global Type
Route::post('/admin/products', 'AdminController@CreateProduct')->middleware('guardian:create,App\Product');
  • Global Specific Type
Route::patch('/admin/{post_id}', 'AdminController@EditPost')->middleware('guardian:edit,App\Post,post_id');

Note: Instead of putting a specific Post ID, you have just to indicate where the ID of that model will be placed in the route URL.

  • Rennokki\Guardian\Exceptions\PermissionException, if the authenticated user doesn't have permissions.
  • Rennokki\Guardian\Exceptions\RouteException, if the passed route parameter is non-existent.

You can access permission(), modelType() and modelIdPlaceholder() methods within the exception to handle your exception further.