Spatie Laravel Permission: Example Project Review

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello guys today we are reviewing a package really popular package called laravel permission by spati and we will review it based on the example of another open source project mealing which i started reviewing earlier this week and without further ado let's get into it first a quick overview why would you need laravel permission instead of default laravel features in default laravel you define the gates so gate define you do it somewhere for example in a service provider and then you authorize a specific user for example like this ifgate allows or not allows or something like that laravel permissions package allows you to define the gates immediately like this and they will be stored in the database so you don't need any service providers or any storage for the gates the gates would be automatically created when you use this syntax which is more readable so you give permission to a user you assign a role to a user or you want to give permission to a specific role so you can use this package for roles only or for permissions so there are kind of layers for the authorizations you can use like admin or simple user and just check which user it is or you can go deeper into permissions for certain objects like managing posts or managing projects or even within the same object you can allow some user to create projects but not to delete those but generally you can use spicy permissions for both only roles or roles with permissions installation of the package is very simple you just do composer require then you optionally may publish the provider but you should publish what you have to do is publish the migrations and then run the migrations here artisan migrate then it creates such tables i will open my database so users doesn't change anything here but there is model has permissions model has roles and here we have polymorphic relations and also role has permissions so in this case in this project i assign a lot of permissions to the rows and also there are permissions so a few tables on top of users it doesn't change anything in your existing database tables the package creates its own kind of ecosystem of four tables and then in the documentation of basic usage we see that we need to add a trade to our user model which we did exactly here in this example project or in fact the author did it wasn't me justin did has rose here and has rose here and that's all you need to do from here you can assign permissions or rows to the users and where new users get their roles in the create new user action here in this repository justin uses laravel 45 but doesn't really matter wherever you have the registration of the user like this you can do user assign role so you just refer that as name without any role id or anything you just put in user also there are three seeder files which are important for us where the permissions get stored so in the seeder file of permissions header what do we see here we have array of permissions and as you can see each permission has five different sub-permissions for rows managing rows managing users managing ingredients meals comments and allergens so access is general access to the whole menu item to the section and then whether that user can create show or view edit or delete the record and then for each of the permissions we create the permissions in the database manually and then for user permissions we assign we give permission to the role here the variables are a bit unclear we create the row so it should have been row and something like this we give permissions to the role not to the specific user so we do create the role super admin and we will get to that in a minute then we create a role of a simple user and then we assign the permission to that user so as you can see user doesn't have permissions for things like user management or role management or permission management only ingredients and meal and comments and four ingredients only create so in other words whenever the user gets assigned the role with that role they have those permissions from permission seeder these ones then there's also menu permission seeder which happens a bit later but i guess it could have been merged into one seeder so we assign the menu management to the user as well role find by name is already a method from spotty package so we find the row actually it should have been again row my advice is to name the variables correctly because otherwise they are misleading a bit so we give permissions to roll and then there's a third seer which is admin permission seeder and when reviewing that project i was expecting to find the separate permissions for the admin but there's only permission create for admin access that's it so how does admin get the access and here we will have an interesting hack around laravel gates kind of overriding them so while reviewing this project i found that admin access is never actually used anywhere so probably the author changed their mind about using that and instead if we go to permission seeder there's an interesting comment gets all permission via gate before rule in auth service provider and i would have kind of missed that comment i saw that pretty accidentally and then let's see what's inside of that auth service provider so we create the role for super admin but where does it get the permissions of service provider and if we go to the boot method this is the most important gate before so we're overriding any gate so gate denies or gate allows is overridden by this so before checking any gate we check the user with ability which is any ability if the user has a role of super admin we return any permission to true any gate any ability whatever management if it's super admin he has access to everything to any permission otherwise if it's not admin then it's null and then basically gate before just is ignored and then the regular permission system takes place the one that we have just reviewed so it's an interesting hack how to override any permission or grant any permission to a certain role or even a certain user so for example you can do something like that i wouldn't advise it but you can assign full permission to a separate user id or user name or user email or whatever and finally we get to how to check the permissions and laravel permission package by spati is another layer on top of default laravel behavior so although you're using the package syntax like gift permission to or assign role under the hood it is saved in the gates and then you can use the gate functionality from default laravel like for example gate denies or you can use can user can or blade directive at can so default laravel syntax just the permissions are saved in the database so here's an example of a board if so if gate denies so if true then abort if with 403 and there's a shorter way even shorter way how to do that you can just put this authorize in the controller allergen access so a bit shorter which would perform basically the same thing so authorize it would check the permission with spicy package and if it doesn't come through then it would throw a 403 forbidden error and that's basically all you need to know about spotty permission package of course you can dig deeper and read the documentation but if you want to learn more about general roles and permissions in laravel so gates and policies and how it all works have a separate video pretty recent video but it went pretty popular with 25 000 views so i advise you to watch that and i will link that in the description below and also a thing to read a really long time ago almost four years now i've written an article on laravel news but it's still pretty irrelevant about the alternative for laravel permissions by spidey there's also a bouncer package and maybe there are more but those two are probably the most popular in laravel community so you can check out bouncer as well it's also popular supported and well done by joseph silber and if you want more daily videos like this one on this channel you can subscribe to the channel and support the channel financially by checking out one of the three products that you can see on the screen quick admin panel generator laravel live wire kit set of components or one of my courses on teachable which is currently 19 courses at the moment see you guys in other videos
Info
Channel: Laravel Daily
Views: 14,794
Rating: undefined out of 5
Keywords:
Id: NgToi0uiMNQ
Channel Id: undefined
Length: 9min 1sec (541 seconds)
Published: Fri Jul 02 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.