Back to blog
LaravelRBACSecurityPHP

Building Role-Based Access Control Systems in Laravel

2024-10-158 min read
Building Role-Based Access Control Systems in Laravel

Role-Based Access Control (RBAC) is a fundamental requirement for enterprise applications. Laravel provides an elegant yet powerful set of tools to implement fine-grained authorization without unnecessary complexity.

Understanding Laravel's Authorization Layer

Laravel offers two primary ways to authorize actions: gates and policies. Gates are Closure-based and work well for generic authorization logic, while policies are class-based and typically tied to Eloquent models. For complex enterprise RBAC, a hybrid approach works best.

Start by defining roles and permissions in your database:

Schema::create('roles', function (Blueprint $table) {
    $table->id();
    $table->string('name')->unique();
    $table->string('guard_name')->default('web');
    $table->timestamps();
});

Schema::create('permissions', function (Blueprint $table) {
    $table->id();
    $table->string('name')->unique();
    $table->string('guard_name')->default('web');
    $table->timestamps();
});

Policy-Based Authorization

Policies allow you to organize authorization logic around specific models. For example, an InvoicePolicy might look like:

class InvoicePolicy
{
    public function view(User $user, Invoice $invoice): bool
    {
        return $user->hasPermission('view-invoice')
            && $user->belongsToTenant($invoice->tenant_id);
    }
}

Middleware Integration

Route-level protection through middleware ensures unauthorized requests never reach your controllers. Create reusable middleware that checks permissions based on route parameters.

This layered approach — middleware at the route level, policies at the model level, and gates for ad-hoc checks — provides comprehensive coverage for any enterprise scenario.

Back to all posts