Role and Permission Manager in Laravel

Role & Permission Manager in Laravel (Complete Guide)

Managing roles and permissions is critical for building secure and scalable Laravel applications. In this guide, you’ll learn how to implement a robust Role-Based Access Control (RBAC) system from scratch.

📌 What is RBAC?

RBAC (Role-Based Access Control) allows you to assign permissions to roles and roles to users.

Example: Admin → Manage Users, Editor → Edit Posts, User → View Content

🛠 Step 1: Database Structure

roles
- id
- name

permissions
- id
- name

role_permission
- role_id
- permission_id

user_role
- user_id
- role_id

This structure supports many-to-many relationships between users, roles, and permissions.

⚙️ Step 2: Create Models & Relationships

class User extends Model {
    public function roles() {
        return $this->belongsToMany(Role::class);
    }
}

class Role extends Model {
    public function permissions() {
        return $this->belongsToMany(Permission::class);
    }
}

class Permission extends Model {
    public function roles() {
        return $this->belongsToMany(Role::class);
    }
}

🔁 Step 3: Assign Roles & Permissions

$user->roles()->attach($roleId);

$role->permissions()->attach($permissionId);

You can also sync roles:

$user->roles()->sync([1,2]);

🔐 Step 4: Check Permissions

public function hasPermission($permission)
{
    return $this->roles()
        ->whereHas('permissions', function ($query) use ($permission) {
            $query->where('name', $permission);
        })->exists();
}

🚧 Step 5: Create Middleware

php artisan make:middleware CheckPermission

public function handle($request, Closure $next, $permission)
{
    if (!auth()->user() || !auth()->user()->hasPermission($permission)) {
        abort(403, 'Unauthorized');
    }

    return $next($request);
}

'permission' => \App\Http\Middleware\CheckPermission::class,

📍 Step 6: Use in Routes

Route::get('/admin', function () {
    return "Admin Panel";
})->middleware('permission:manage_users');

🧠 Step 7: Use Gates (Alternative)

Gate::define('manage-users', function ($user) {
    return $user->hasPermission('manage_users');
});

@can('manage-users')
    <button>Delete User</button>
@endcan

🚀 Step 8: Optimization Tips

Cache roles & permissions using Redis
Avoid repeated DB queries
Use eager loading

⚠️ Common Mistakes

Checking permissions directly in controllers everywhere
No caching → slow performance
Hardcoding roles

🔥 Bonus: Use Package

Instead of building from scratch, you can use:

👉 :contentReference[oaicite:0]{index=0}

It provides:

Easy role & permission management
Blade directives
Middleware support

🎯 Conclusion

A well-structured role and permission system improves security and maintainability. Using RBAC, middleware, and caching ensures your Laravel app scales efficiently.