Achieving Role Based Access in Laravel

Abhiram Chandramohan

Founder and CEO of Obii KriationZ Web LLP

Apr 16, 2023

Laravel is a popular PHP web framework that provides developers with a comprehensive set of tools for building web applications. One of the key features of Laravel is its authentication system, which allows developers to easily implement user authentication and authorization in their applications.

Role-based access control (RBAC) is a popular approach to managing access to resources in web applications. RBAC allows developers to define roles that correspond to different levels of access, and assign those roles to users based on their job function or other criteria. Laravel provides a powerful RBAC system out of the box, which makes it easy to manage access to your application's resources.

Defining Guards

In Laravel, guards define how users are authenticated for each request. By default, Laravel provides a guard named 'web' that authenticates users based on sessions.

To create a guard for a different user role, you need to define a new guard in the config/auth.php file. For example, to create a guard for an administrator role, you can add the following code:

'guards' => [
   'admin' => [
       'driver' => 'session',
       'provider' => 'admins',
   ],
],

and for the Sub-administrator role, you can add the following code:

'guards' => [
   'subadmin' => [
       'driver' => 'session',
       'provider' => 'subadmins',
   ],
],

This defines a new guard named 'subadmin' that uses sessions to authenticate users and uses the 'subadmins' provider to retrieve user information.

Defining Providers

Next, you need to define a provider for each guard. Providers define how user information is retrieved for authentication. Providers, like Guard information, is added in the config/auth.php file. To define a new provider for admins, you can add the following code:

'providers' => [
   'admins' => [
       'driver' => 'eloquent',
       'model' => App\Models\Admin::class,
   ],
],

This defines a new provider named 'admins' that uses Eloquent to retrieve user information from the App\Models\Admin model.

Similarly, you can define a new provider for sub-admins as follows:

'providers' => [
   'subadmins' => [
       'driver' => 'eloquent',
       'model' => App\Models\SubAdmin::class,
   ],
],

This defines a new provider named 'subadmins' that uses Eloquent to retrieve user information from the App\Models\SubAdmin model.

Once you have defined guards and providers, you can use them in your controllers to restrict access to specific routes. For example, to restrict access to a route to admins, you can add the following code to your controller:

use Illuminate\Support\Facades\Auth;
class AdminController extends Controller
{
   public function index()
   {
       if (Auth::guard('admin')->check()) {
           // User has 'admin' role, proceed to view
       } else {
           abort(403, 'Unauthorized access.');
       }
   }
}

This code uses the Auth::guard('admin')->check() method to check if the current user is authenticated using the 'admin' guard. If the user is authenticated, the controller proceeds to show the view. Otherwise, the controller returns a 403 error.

Use middleware at the routes:

Route::middleware('auth:admin')->group(function()
   {
       Route::view('/dashboard','admin.dashboard')->name('dashboard');
   });

Achieving Role Based Access in Laravel

Implementing S3 on a Laravel System for Image Storage May 23, 2023

Owl carousel implementation on a Laravel App Mar 29, 2023

Laravel Database Querying methods Mar 16, 2023

Must-know PHP methods for a Laravel and Symfony developer Mar 06, 2023

SOLID principles for Laravel Developers Feb 27, 2023