smart-crowd / laravel-rbac
Laravel RBAC implementation.
Installs: 1 254
Dependents: 0
Suggesters: 0
Security: 0
Stars: 15
Watchers: 12
Forks: 8
Open Issues: 1
Requires
- illuminate/container: 5.1.*
- illuminate/support: 5.1.*
Requires (Dev)
- orchestra/testbench: ~3.0
- phpunit/phpunit: ~4.0
This package is not auto-updated.
Last update: 2024-10-26 18:12:08 UTC
README
Laravel 5 RBAC implementation
Package was inspired by RBAC module from Yii Framework
Installation
-
Run
composer require "smart-crowd/laravel-rbac":"dev-master"
-
Add service provider and facade into
/config/app.php
file.'providers' => [ ... SmartCrowd\Rbac\RbacServiceProvider::class, ], ... 'aliases' => [ ... 'Rbac' => 'SmartCrowd\Rbac\Facades\Rbac' ]
-
Publish package configs
php artisan vendor:publish
-
Implement
Assignable
contract in your user model. And useAllowedTrait
.use SmartCrowd\Rbac\Traits\AllowedTrait; use SmartCrowd\Rbac\Contracts\Assignable; class User extends Model implements Assignable { use AllowedTrait; /** * Should return array of permissions and roles names, * assigned to user. * * @return array Array of user assignments. */ public function getAssignments() { // your implementation here } ... }
Usage
-
Describe you permissions in
/Rbac/items.php
-
Use inline in code
if (Auth::user()->allowed('article.delete', ['article' => $article])) { // user has access to 'somePermission.name' permission }
-
Or in middleware
Route::delete('/articles/{article}', [ 'middleware' => 'rbac:article.delete', 'uses' => 'ArticlesController@delete' ]);
Of course, don't forget to register middleware in
/Http/Kernel.php
fileprotected $routeMiddleware = [ ... 'rbac' => 'SmartCrowd\Rbac\Middleware\RbacMiddleware', ];
To use route parameters in business rules as models instead just ids, you should bind it in
RouteServicePrivider.php
:public function boot(Router $router) { //... $router->model('article', '\App\Article'); parent::boot($router); }
There are 3 ways to bind permission name to action name:
- middleware paramenter
- bind they directelly in
/Rbac/actions.php
file - name permission like action, for example
article.edit
forArticleController@edit
action
-
Or in your views
@allowed('article.edit', ['article' => $article]) <a href="{{ route('edit', ['article' => $article]) }}">edit</a> @else <span>You can not edit this article</span> @endallowed
If
rbac.shortDirectives
option are enabled, you can use shorter forms of directives, like this:@allowedArticleEdit(['article' => $article]) {{ $some }} @endallowed @allowedIndex {{ $some }} @endallowed
Context Roles
In some cases, you may want to have dynamically assigned roles. For example, the role groupModerator
is dynamic, because depending on the current group, the current user may have this role, or may not have. In our terminology, this role are "Context Role", and current group is "Role Context". The context decides which additional context roles will be assigned to the current user. In our case, Group
model should implement RbacContext
interface, and method getAssignments($user)
.
When checking is enough to send context model among other parameters:
@allowed('group.post.delete', ['post' => $post, 'group' => $group]) // or $post->group post delete button @endallowed
But for automatic route check in middleware we usually send only post without group:
Route::delete('/post/{post}', [ 'middleware' => 'rbac:group.post.delete', 'uses' => 'PostController@delete' ]);
For this case you can implement RbacContextAccesor
intarface by Post
model. getContext()
method should return Group
model. Then you just have to send only the post, and context roles will be applied in middleware to:
@allowed('group.post.delete', ['post' => $post]) post delete button @endallowed
You can not do that, if you send context with subject:
Route::delete('/group/{group}/post/{post}', [ 'middleware' => 'rbac:group.post.delete', 'uses' => 'PostController@delete' ]);