Skip to main content

Overview

The User model represents authenticated users in the system, including doctors, receptionists, admin staff, and patients. It extends Laravel’s Authenticatable class and integrates with Fortify for authentication and Spatie Permission for role-based access control. Model Location: app/Models/User.php
Database Table: users

Database Schema

id
integer
required
Primary key, auto-incrementing
name
string
required
User’s full name (max 255 characters)
email
string
required
User’s email address (unique, used for login)
email_verified_at
timestamp
Timestamp when email was verified (nullable)
password
string
required
Hashed password (automatically hashed by Laravel)
two_factor_secret
text
Encrypted two-factor authentication secret
two_factor_recovery_codes
text
Encrypted two-factor recovery codes
two_factor_confirmed_at
timestamp
Timestamp when two-factor authentication was confirmed
remember_token
string
Token for “remember me” functionality
created_at
timestamp
Record creation timestamp
updated_at
timestamp
Record last update timestamp

Fillable Attributes

Only these attributes can be mass-assigned: 
protected $fillable = [
    'name',
    'email',
    'password',
];

Hidden Attributes

These attributes are hidden from JSON serialization for security: 
protected $hidden = [
    'password',
    'two_factor_secret',
    'two_factor_recovery_codes',
    'remember_token',
];

Type Casting

protected function casts(): array
{
    return [
        'email_verified_at' => 'datetime',
        'password' => 'hashed',
        'two_factor_confirmed_at' => 'datetime',
    ];
}

Traits

The User model uses the following traits:
  • HasFactory: Enables model factories for testing
  • Notifiable: Adds notification sending capabilities
  • TwoFactorAuthenticatable: Adds two-factor authentication via Laravel Fortify
  • HasRoles: Adds role and permission management via Spatie Permission

Roles

Users can have one of four roles:

Admin

Full system access including staff management and reports

Doctor

Manage appointments, consultations, prescriptions, and schedules

Receptionist

Manage patients, appointments, and payments

Patient

Self-service portal for appointments and medical records

Usage Examples

Creating a User

use App\Models\User;
use Illuminate\Support\Facades\Hash;

$user = User::create([
    'name' => 'Dr. John Smith',
    'email' => '[email protected]',
    'password' => Hash::make('secure-password'),
]);

// Assign role
$user->assignRole('doctor');

Checking User Role

// Check if user has a specific role
if ($user->hasRole('admin')) {
    // User is an admin
}

// Check if user has any of the roles
if ($user->hasAnyRole(['admin', 'doctor'])) {
    // User is admin or doctor
}

// Check if user has a permission
if ($user->can('create-patients')) {
    // User can create patients
}

Querying by Role

// Get all doctors
$doctors = User::role('doctor')->get();

// Get all staff (non-patients)
$staff = User::role(['admin', 'doctor', 'receptionist'])->get();

// Get users with specific permission
$usersWithPermission = User::permission('view-reports')->get();

Two-Factor Authentication

// Check if user has 2FA enabled
if ($user->two_factor_secret) {
    // 2FA is enabled
}

// Check if 2FA is confirmed
if ($user->hasEnabledTwoFactorAuthentication()) {
    // 2FA is fully configured
}

Sending Notifications

use App\Notifications\AppointmentReminder;

$user->notify(new AppointmentReminder($appointment));

Relationships

While not explicitly defined in the User model, the following relationships exist:

Doctor Schedules

// Accessed via DoctorSchedule model
$schedules = DoctorSchedule::where('user_id', $user->id)->get();

Consultations (as Doctor)

// Accessed via Consultation model
$consultations = Consultation::where('doctor_id', $user->id)->get();

Appointments (as Doctor)

// Accessed via Appointment model
$appointments = Appointment::where('doctor_id', $user->id)->get();

Security Considerations

Never expose user passwords, two-factor secrets, or recovery codes in API responses. The model’s $hidden array prevents this by default.
Email verification is available through Laravel Fortify. Enable it in config/fortify.php to require users to verify their email before accessing the system.

Build docs developers (and LLMs) love

Get started for freeTalk to us