Roles and Permissions

Overview

Sistema de Abogados implements a robust role-based access control (RBAC) system using the Spatie Laravel Permission package. This system allows you to control what users can access and do within the application through roles and permissions.

Spatie Laravel Permission Integration

The application uses the spatie/laravel-permission package to manage roles and permissions. The User model includes the HasRoles trait, enabling role and permission assignment:

app/Models/User.php

use Spatie\Permission\Traits\HasRoles;

class User extends Authenticatable
{
    use HasApiTokens, HasFactory, Notifiable, HasRoles, Searchable;
    // ...
}

Default Roles

The system defines four primary roles during database seeding:

Admin

Full system access including user, role, and permission management

Encargado

Case manager with access to conciliation and case management

Asistente

Assistant with access to conciliation and expediente support

Abogado

Lawyer with case management and client interaction capabilities

Role Seeder

Roles are created during database seeding:

database/seeders/RoleSeeder.php

use Spatie\Permission\Models\Role;

public function run()
{
    Role::create(['name' => 'admin']);
    Role::create(['name' => 'asistente']);
    Role::create(['name' => 'abogado']);
}

The encargado role may be created manually or through additional seeders not shown in the base RoleSeeder.

Permission Management

Permissions control specific actions users can perform. The system provides a complete CRUD interface for managing permissions.

Creating Permissions

Administrators can create new permissions through the PermissionController:

app/Http/Controllers/Admin/PermissionController.php

public function store(Request $request)
{
    $validated = $request->validate(['name' => ['required']]);
    Permission::create($validated);

    return to_route('admin.permissions.index')
        ->with('message', 'Permiso creado correctamente.');
}

Assigning Permissions to Roles

Permissions can be assigned to roles to control role capabilities:

Navigate to Role Management

Access the role edit page at /admin/roles/{role}/edit

Select Permission

Choose the permission you want to assign from the available permissions list

Assign Permission

Submit the form to assign the permission to the role

app/Http/Controllers/Admin/RoleController.php

public function givePermission(Request $request, Role $role)
{
    if($role->hasPermissionTo($request->permission)){
        return back()->with('messageAlert', 'Permiso existente.');
    }
    $role->givePermissionTo($request->permission);
    return back()->with('message', 'Permiso agregado.');
}

Revoking Permissions from Roles

To remove a permission from a role:

app/Http/Controllers/Admin/RoleController.php

public function revokePermission(Role $role, Permission $permission)
{
    if($role->hasPermissionTo($permission)){
        $role->revokePermissionTo($permission);
        return back()->with('messagedestroy', 'Permiso removido.');
    }
}

Route: DELETE /admin/roles/{role}/permissions/{permission}

Role Assignment

Assigning Roles to Users

Administrators can assign roles to users through the UserController:

Access User Management

Navigate to /admin/users/{user} to view the user’s role management page

Select Role

Choose from available roles: admin, encargado, asistente, or abogado

Assign Role

Submit the role assignment:

app/Http/Controllers/Admin/UserController.php

public function assignRole(Request $request, User $user)
{
    if($user->hasRole($request->role)){
        return back()->with('messageAlert', 'Rol existente.');
    }

    $user->assignRole($request->role);
    return back()->with('message', 'Role asignado.');
}

Route: POST /admin/users/{user}/roles

Removing Roles from Users

To remove a role from a user:

app/Http/Controllers/Admin/UserController.php

public function removeRole(User $user, Role $role)
{
    if($user->hasRole($role)){
        $user->removeRole($role);
        return back()->with('messagedestroy', 'Rol Removido.');
    }

    return back()->with('messageAlert', 'Rol no existente.');
}

Route: DELETE /admin/users/{user}/roles/{role}

Direct Permission Assignment

In addition to role-based permissions, you can assign permissions directly to individual users.

Giving Permissions to Users

app/Http/Controllers/Admin/UserController.php

public function givePermission(Request $request, User $user)
{
    if($user->hasPermissionTo($request->permission)){
        return back()->with('messageAlert', 'Permiso existente.');
    }
    $user->givePermissionTo($request->permission);
    return back()->with('message', 'Permiso agregado.');
}

Route: POST /admin/users/{user}/permissions

Revoking Permissions from Users

app/Http/Controllers/Admin/UserController.php

public function revokePermission(User $user, Permission $permission)
{
    if($user->hasPermissionTo($permission)){
        $user->revokePermissionTo($permission);
        return back()->with('messagedestroy', 'Permiso removido.');
    }
}

Route: DELETE /admin/users/{user}/permissions/{permission}

Middleware Protection

The application uses role-based middleware to protect routes. Only users with specific roles can access protected resources.

Admin-Only Routes

All role and permission management is restricted to admin users:

routes/web.php

Route::middleware(['auth', 'role:admin'])->name('admin.')->prefix('admin')->group(function() {
    Route::get('/', [IndexController::class, 'index'])->name('index');
    Route::resource('/roles', RoleController::class);
    Route::resource('/permissions', PermissionController::class);
    Route::resource('/users', UserController::class);
    // Role and permission assignment routes...
});

Multi-Role Routes

Many routes allow access to multiple roles using the pipe (|) separator:

routes/web.php

// Encargado, Admin, and Asistente can access conciliation
Route::middleware(['auth', 'role:encargado|admin|asistente'])
    ->name('conciliacion.')
    ->prefix('conciliacion')
    ->group(function() {
        Route::resource('/expediente', ExpedienteController::class);
        // ...
    });

// Encargado, Admin, and Abogado can access case management
Route::middleware(['auth', 'role:encargado|admin|abogado'])
    ->name('caso.')
    ->prefix('caso')
    ->group(function() {
        Route::resource('/caso', CasosController::class);
        // ...
    });

Admin Routes Reference

Role Management Routes

GET /admin/roles - List all roles
GET /admin/roles/create - Create role form
POST /admin/roles - Store new role
GET /admin/roles/{role}/edit - Edit role form
PUT /admin/roles/{role} - Update role
DELETE /admin/roles/{role} - Delete role
POST /admin/roles/{role}/permissions - Assign permission to role
DELETE /admin/roles/{role}/permissions/{permission} - Revoke permission from role

Permission Management Routes

GET /admin/permissions - List all permissions
GET /admin/permissions/create - Create permission form
POST /admin/permissions - Store new permission
GET /admin/permissions/{permission}/edit - Edit permission form
PUT /admin/permissions/{permission} - Update permission
DELETE /admin/permissions/{permission} - Delete permission
POST /admin/permissions/{permission}/roles - Assign role to permission
DELETE /admin/permissions/{permission}/roles/{role} - Remove role from permission

User Management Routes

GET /admin/users - List all users
GET /admin/users/{user} - Show user with roles and permissions
DELETE /admin/users/{user} - Delete user
POST /admin/users/{user}/roles - Assign role to user
DELETE /admin/users/{user}/roles/{role} - Remove role from user
POST /admin/users/{user}/permissions - Give permission to user
DELETE /admin/users/{user}/permissions/{permission} - Revoke permission from user

Best Practices

Admin users cannot be deleted from the system. The UserController prevents deletion of users with the admin role:

if($user->hasRole('admin')){
    return back()->with('messageAlert', 'No puedes eliminar un usuario admin.');
}

Use Roles for Groups

Assign permissions to roles rather than individual users for easier management

Principle of Least Privilege

Only grant permissions necessary for users to perform their duties

Regular Audits

Periodically review user roles and permissions to ensure appropriateness

Document Custom Permissions

Keep track of custom permissions created for specific business needs

Checking Permissions in Code

The Spatie package provides several methods to check permissions:

// Check if user has a role
if ($user->hasRole('admin')) {
    // User is an admin
}

// Check if user has a permission
if ($user->hasPermissionTo('edit articles')) {
    // User can edit articles
}

// Check if role has a permission
if ($role->hasPermissionTo('delete users')) {
    // Role can delete users
}

// Check multiple roles
if ($user->hasAnyRole(['admin', 'encargado'])) {
    // User has at least one of these roles
}

User Types

Learn about each user role and their specific capabilities

Authentication

Understand how authentication and session management works

Get Started

Core Features

User Management

Guides

Overview

Spatie Laravel Permission Integration

Default Roles

Admin

Encargado

Asistente

Abogado

Role Seeder

Permission Management

Creating Permissions

Assigning Permissions to Roles

Revoking Permissions from Roles

Role Assignment

Assigning Roles to Users

Removing Roles from Users

Direct Permission Assignment

Giving Permissions to Users

Revoking Permissions from Users

Middleware Protection

Admin-Only Routes

Multi-Role Routes

Admin Routes Reference

Best Practices

Use Roles for Groups

Principle of Least Privilege

Regular Audits

Document Custom Permissions

Checking Permissions in Code

See Also

User Types

Authentication

Build docs developers (and LLMs) love

Get Started

Core Features

User Management

Guides

​Overview

​Spatie Laravel Permission Integration

​Default Roles

Admin

Encargado

Asistente

Abogado

​Role Seeder

​Permission Management

​Creating Permissions

​Assigning Permissions to Roles

​Revoking Permissions from Roles

​Role Assignment

​Assigning Roles to Users

​Removing Roles from Users

​Direct Permission Assignment

​Giving Permissions to Users

​Revoking Permissions from Users

​Middleware Protection

​Admin-Only Routes

​Multi-Role Routes

​Admin Routes Reference

​Best Practices

Use Roles for Groups

Principle of Least Privilege

Regular Audits

Document Custom Permissions

​Checking Permissions in Code

​See Also

User Types

Authentication

Build docs developers (and LLMs) love

Overview

Spatie Laravel Permission Integration

Default Roles

Role Seeder

Permission Management

Creating Permissions

Assigning Permissions to Roles

Revoking Permissions from Roles

Role Assignment

Assigning Roles to Users

Removing Roles from Users

Direct Permission Assignment

Giving Permissions to Users

Revoking Permissions from Users

Middleware Protection

Admin-Only Routes

Multi-Role Routes

Admin Routes Reference

Best Practices

Checking Permissions in Code

See Also