The user management system provides comprehensive tools for managing users, roles, and permissions using Spatie Laravel Permission package.
Permission Requirements User management requires the access.admin.panel permission. All routes are protected by authentication, email verification, and permission middleware.
User Management Routes User management uses Laravel’s resource routes:
// routes/web.php:83-85 Route :: resource ( 'users' , UserController :: class ); Route :: resource ( 'roles' , RoleController :: class );
User List View and manage all users at /admin/users.
Livewire User List Component The user list uses a reactive Livewire component with search, sort, and pagination:
// app/Livewire/Admin/UserList.php:9-76 class UserList extends Component { use WithPagination ; public $search = '' ; public $sortField = 'name' ; public $sortDirection = 'asc' ; public $showDeleteModal = false ; public $userToDelete = null ; protected $queryString = [ 'search' => [ 'except' => '' ], 'sortField' => [ 'except' => 'name' ], 'sortDirection' => [ 'except' => 'asc' ], ]; public function sortBy ( $field ) { if ( $this -> sortField === $field ) { $this -> sortDirection = $this -> sortDirection === 'asc' ? 'desc' : 'asc' ; } else { $this -> sortField = $field ; $this -> sortDirection = 'asc' ; } } public function render () { $users = User :: query () -> with ( 'roles' ) -> when ( $this -> search , function ( $query ) { $query -> where ( 'name' , 'like' , '%' . $this -> search . '%' ) -> orWhere ( 'email' , 'like' , '%' . $this -> search . '%' ); }) -> orderBy ( $this -> sortField , $this -> sortDirection ) -> paginate ( 10 ) -> withQueryString (); return view ( 'livewire.admin.user-list' , [ 'users' => $users ]); } }
User List Features
Search Search users by name or email address in real-time
Sort Sort by any column (name, email, created date)
Paginate 10 users per page with pagination controls
Role Display View assigned roles for each user
Creating Users Create new users at /admin/users/create.
Navigate to Create User
Click “Create New User” button on the user list
Enter User Details
Fill in name, email, and password fields
Assign Roles
Select one or more roles (except Super Admin)
Save User
User account is created and roles are assigned
Create User Livewire Component // app/Livewire/Admin/CreateUser.php:10-60 class CreateUser extends Component { #[ Validate ( 'required|string|max:255' )] public $name ; #[ Validate ( 'required|email' , as : 'Email Address' )] public $email ; #[ Validate ( 'nullable|min:8|confirmed' )] public $password ; public $password_confirmation ; public $roles = []; public $availableRoles = []; public function mount () { // Load all roles except 'Super Admin' $this -> availableRoles = Role :: where ( 'name' , '!=' , 'Super Admin' ) -> pluck ( 'name' ) -> toArray (); } public function save () { // Create a new user instance $user = new User (); $user -> name = $this -> name ; $user -> email = $this -> email ; if ( $this -> password ) { $user -> password = bcrypt ( $this -> password ); } $user -> save (); // Sync roles, ensuring the 'Super Admin' role cannot be assigned $user -> syncRoles ( array_intersect ( $this -> roles , $this -> availableRoles )); session () -> flash ( 'success' , 'User created successfully.' ); return redirect () -> route ( 'admin.users.index' ); } }
Validation Rules User Creation Requirements
Name: Required, max 255 characters
Email: Required, valid email format, unique
Password: Optional, min 8 characters, must be confirmed
Roles: Optional, multiple roles can be assigned
Super Admin Protection The Super Admin role cannot be assigned through the user creation form. This prevents accidental privilege escalation.
Editing Users Edit existing users at /admin/users/{user}/edit.
Select User
Click “Edit” on any user in the list
Modify Details
Update name, email, password, or status
Manage Roles
Add or remove roles (Super Admin protected)
Ban/Unban User
Change user status to active or banned
Save Changes
User record is updated with new information
Edit User Livewire Component // app/Livewire/Admin/EditUser.php:10-98 class EditUser extends Component { public User $user ; #[ Validate ( 'required|string|max:255' )] public $name ; #[ Validate ( 'required|email' , as : 'Email Address' )] public $email ; #[ Validate ( 'nullable|min:8|confirmed' )] public $password ; public $password_confirmation ; public $status ; public $roles = []; public $availableRoles = []; public function mount ( User $user ) { $this -> user = $user ; $this -> name = $user -> name ; $this -> email = $user -> email ; $this -> status = $user -> status ; // Load all roles except 'Super Admin' $this -> availableRoles = Role :: where ( 'name' , '!=' , 'Super Admin' ) -> pluck ( 'name' ) -> toArray (); // Load assigned roles $this -> roles = $user -> roles -> pluck ( 'name' ) -> toArray (); } public function save () { // Save user details $this -> user -> name = $this -> name ; $this -> user -> email = $this -> email ; if ( $this -> password ) { $this -> user -> password = bcrypt ( $this -> password ); } $this -> user -> save (); // Check if the user has the 'Super Admin' role $hasSuperAdminRole = $this -> user -> hasRole ( 'Super Admin' ); // If user has 'Super Admin', make sure it's not removed if ( $hasSuperAdminRole ) { $this -> user -> syncRoles ( array_merge ([ 'Super Admin' ], array_intersect ( $this -> roles , $this -> availableRoles ))); } else { $this -> user -> syncRoles ( array_intersect ( $this -> roles , $this -> availableRoles )); } session () -> flash ( 'success' , 'User updated successfully.' ); return redirect () -> route ( 'admin.users.index' ); } }
Preserving Super Admin Role If a user has the Super Admin role, it cannot be removed through the edit form. This prevents accidental removal of super admin privileges.
Banning Users Users can be banned to prevent access without deletion.
Ban User // app/Livewire/Admin/EditUser.php:75-82 public function ban ( $id ) { $user = User :: findOrFail ( $id ); $user -> status = 'banned' ; $user -> save (); return back () -> with ( 'message' , 'User has been banned.' ); }
Unban User // app/Livewire/Admin/EditUser.php:84-91 public function unban () { $this -> user -> status = 'active' ; $this -> user -> save (); session () -> flash ( 'message' , 'User has been unbanned.' ); return redirect () -> route ( 'admin.users.index' ); }
User Status
active: User can access the system normallybanned: User is prevented from logging in Deleting Users Delete users with automatic cleanup of API tokens.
Delete Confirmation Modal // app/Livewire/Admin/UserList.php:45-49 public function confirmDelete ( $userId ) { $this -> userToDelete = $userId ; $this -> showDeleteModal = true ; }
Delete User // app/Livewire/Admin/UserList.php:51-60 public function deleteUser () { $user = User :: findOrFail ( $this -> userToDelete ); $user -> delete (); $this -> showDeleteModal = false ; $this -> userToDelete = null ; session () -> flash ( 'message' , 'User deleted successfully.' ); }
User Deletion with Token Cleanup // app/Http/Controllers/UserController.php:86-95 public function destroy ( User $user ) { $user -> tokens -> each -> delete (); // Revokes API tokens $user -> delete (); // Deletes user session () -> flash ( 'message' , 'User Deleted Successfully.' ); return redirect () -> route ( 'admin.users.index' ); }
Permanent Deletion : User deletion is permanent and cannot be undone. All associated data (posts, comments, etc.) may be affected.
Role Management Manage roles and permissions at /admin/roles.
Viewing Roles // app/Http/Controllers/RoleController.php:14-19 public function index () { $roles = Role :: latest () -> paginate ( 10 ); return view ( 'admin.roles.index' , compact ( 'roles' )); }
Creating Roles Create roles with custom permission sets.
Navigate to Create Role
Go to /admin/roles/create
Enter Role Name
Provide a descriptive role name (e.g., “Editor”, “Moderator”)
Select Permissions
Choose permissions grouped by category
Save Role
Role is created with assigned permissions
// app/Http/Controllers/RoleController.php:26-38 public function create () { $role_permission = Permission :: select ( 'name' , 'id' ) -> distinct () -> get (); $custom_permission = []; foreach ( $role_permission as $per ) { $key = strstr ( $per -> name , '.' , true ) ?: $per -> name ; $custom_permission [ $key ][] = $per ; } return view ( 'admin.roles.create' , [ 'permissions' => $custom_permission ]); }
Permission Grouping Permissions are grouped by prefix for easier management:
Group Permissions Description accessaccess.admin.panel, access.subscriber.areaSystem access blogblog.create, blog.edit, blog.deleteBlog management gallerygallery.upload, gallery.manageGallery management useruser.create, user.edit, user.deleteUser management
Storing Roles // app/Http/Controllers/RoleController.php:43-62 public function store ( Request $request ) { $request -> validate ([ 'name' => 'required' , ]); $role = Role :: create ([ 'name' => $request -> name , ]); if ( $request -> permissions ) { foreach ( $request -> permissions as $key => $value ) { $role -> givePermissionTo ( $value ); } } return redirect () -> route ( 'roles.all' ); }
Editing Roles Update role names and permissions.
Select Role
Click “Edit” on any role in the list
Modify Role Name
Update the role name if needed
Adjust Permissions
Add or remove permissions
Save Changes
Role is updated with new configuration
// app/Http/Controllers/RoleController.php:75-94 public function edit ( Role $role ) { $role -> load ( 'permissions' ); $permissions = Permission :: select ([ 'name' , 'id' ]) -> when ( config ( 'database.default' ) === 'sqlite' , function ( $query ) { return $query -> selectRaw ( 'name, MIN(id) as id' ); }) -> groupBy ( 'name' ) -> get (); $groupedPermissions = $permissions -> groupBy ( function ( $permission ) { return strstr ( $permission -> name , '.' , true ) ?: $permission -> name ; }); return view ( 'admin.roles.edit' , [ 'role' => $role , 'permissions' => $groupedPermissions ]); }
Updating Roles // app/Http/Controllers/RoleController.php:99-115 public function update ( Request $request , $id ) { $role = Role :: where ( 'id' , $id ) -> first (); $request -> validate ([ 'name' => 'required' ]); $role -> update ([ "name" => $request -> name ]); $role -> syncPermissions ( $request -> permissions ); return redirect () -> route ( 'admin.roles.index' ) -> with ( 'success' , 'Roles Updated Successfully' ); }
Deleting Roles Delete roles with automatic permission cleanup.
// app/Http/Controllers/RoleController.php:133-138 public function destroy ( Role $role ) { $role -> delete (); return redirect () -> route ( 'admin.roles.index' ) -> with ( 'success' , 'Role deleted successfully.' ); }
Role Deletion : When you delete a role, users with that role will lose those permissions. Consider reassigning users before deleting important roles.
Permission System LaraCMS uses Spatie Laravel Permission for granular access control.
Key Permissions // Required for admin panel access (routes/web.php:71) -> middleware ( 'permission:access.admin.panel' )
Common Permissions Permission Description Required For access.admin.panelAccess admin dashboard All admin routes access.subscriber.areaAccess subscriber content Premium features blog.createCreate blog posts Post creation blog.editEdit blog posts Post editing blog.deleteDelete blog posts Post deletion user.manageManage users User CRUD operations role.manageManage roles Role CRUD operations
Checking Permissions // In controllers if ( ! auth () -> user () -> can ( 'access.admin.panel' )) { abort ( 403 ); } // In Blade views @ can ( 'access.admin.panel' ) <!-- Admin content --> @ endcan // Using middleware Route :: middleware ( 'permission:access.admin.panel' ) -> group ( function () { // Protected routes });
Best Practices
Organize roles in a hierarchy:
Super Admin : Full system access (protected)Admin : Most admin functionsEditor : Content management onlyModerator : User moderationUser : Basic access
Use consistent permission naming:
Format: resource.action (e.g., blog.create)
Group related permissions with same prefix
Use descriptive names
Document custom permissions
Always protect Super Admin role:
Exclude from dropdowns and selectors
Prevent removal through UI
Limit Super Admin assignments
Log Super Admin changes
Use banning instead of deletion when possible:
Preserves content ownership
Allows reactivation
Maintains data integrity
Consider soft deletes for important users
Troubleshooting
If users can’t access admin panel:
Verify access.admin.panel permission is assigned
Check role has correct permissions
Clear permission cache: php artisan permission:cache-reset
Verify user has the role assigned
If roles don’t show in dropdowns:
Check Super Admin filtering is working
Verify roles exist in database
Clear cache: php artisan cache:clear
Check database connection
If user deletion fails:
Check for foreign key constraints
Consider soft deletes
Ban user instead of deleting
Review cascading delete rules
Multi-Tenant Security As a SaaS platform, security is critical:
Tenant Isolation
Users can only access their tenant’s data
Permissions are tenant-scoped
Super Admin role per tenant
Security Best Practices
Regular permission audits
Monitor Super Admin assignments
Log privilege changes
Review role permissions quarterly
Use 2FA for admin accounts (recommended)
Next Steps
Dashboard Overview Return to admin dashboard documentation
URL Tools Learn about URL shortener and redirects