Skip to main content
C.A.R. 911 uses the Spatie Laravel Permission package to manage user roles and permissions. This provides a flexible and powerful system for controlling access to different parts of the application.

Spatie Permission Package

The application uses Spatie Laravel Permission version 5.5: 
"spatie/laravel-permission": "^5.5"
Reference: composer.json:24

User Model Configuration

The User model includes the HasRoles trait to enable role and permission functionality: 
use Spatie\Permission\Traits\HasRoles;

class User extends Authenticatable
{
    use HasApiTokens, HasFactory, Notifiable, HasRoles;
}
Reference: app/Models/User.php:12-16

Role Management

Roles are managed through the RolController, which provides full CRUD operations.

Role Controller Permissions

The controller uses middleware to restrict access based on permissions: 
function __construct(){
    $this->middleware('permission:ver-rol|crear-rol|editar-rol|borrar-rol', ['only'=>['index']]);
    $this->middleware('permission:crear-rol', ['only'=>['create', 'store']]);
    $this->middleware('permission:editar-rol', ['only'=>['edit', 'update']]);
    $this->middleware('permission:borrar-rol', ['only'=>['destroy']]);
}
Reference: app/Http/Controllers/RolController.php:13-18

Permission Types

The system uses four main permission types for role management:
ver-rol
string
View and list all roles in the system
crear-rol
string
Create new roles and assign permissions
editar-rol
string
Edit existing roles and update their permissions
borrar-rol
string
Delete roles from the system

Working with Roles

Listing Roles

Retrieve all roles with pagination: 
public function index()
{
    $roles = Role::paginate(100);
    return view('roles.index', compact('roles'));
}
Reference: app/Http/Controllers/RolController.php:25-29

Creating a Role

1

Load Create Form

The create method retrieves all available permissions:
public function create()
{
    $permission = Permission::get();
    return view('roles.crear', compact('permission'));
}
Reference: app/Http/Controllers/RolController.php:36-41
2

Validate Input

The store method validates that both name and permissions are provided:
$this->validate($request, [
    'name' => 'required', 
    'permission' => 'required'
]);
Reference: app/Http/Controllers/RolController.php:52
3

Create and Sync Permissions

Create the role and sync permissions in one operation:
$role = Role::create(['name' => $request->input('name')]);
$role->syncPermissions($request->input('permission'));

return redirect()->route('roles.index');
Reference: app/Http/Controllers/RolController.php:53-56

Editing a Role

To edit a role, you need to retrieve the role, all permissions, and the role’s current permissions: 
public function edit($id)
{
    $role = Role::find($id);
    $permission = Permission::get();
    $rolePermissions = DB::table("role_has_permissions")
        ->where("role_has_permissions.role_id", $id)
        ->pluck('role_has_permissions.permission_id','role_has_permissions.permission_id')
        ->all();
    
    return view('roles.editar', compact('role','permission','rolePermissions'));
}
Reference: app/Http/Controllers/RolController.php:77-86

Updating a Role

Update the role name and sync new permissions: 
public function update(Request $request, $id)
{
    $this->validate($request, [
        'name' => 'required',
        'permission' => 'required',
    ]);
    
    $role = Role::find($id);
    $role->name = $request->input('name');
    $role->save();
    
    $role->syncPermissions($request->input('permission'));
    
    return redirect()->route('roles.index');
}
Reference: app/Http/Controllers/RolController.php:95-109
The syncPermissions() method automatically removes old permissions and assigns new ones, ensuring the role has exactly the permissions specified.

Deleting a Role

Delete a role from the database: 
public function destroy($id)
{
    DB::table('roles')->where('id', $id)->delete();
    return redirect()->route('roles.index');
}
Reference: app/Http/Controllers/RolController.php:117-122
Deleting a role will affect all users assigned to that role. Ensure you reassign users before deleting important roles.

Permission System

Permissions are managed using Spatie’s Permission model: 
use Spatie\Permission\Models\Role;
use Spatie\Permission\Models\Permission;
Reference: app/Http/Controllers/RolController.php:7-8

Database Structure

The permission system uses the following tables:
  • roles - Stores role definitions
  • permissions - Stores permission definitions
  • role_has_permissions - Links roles to permissions
  • model_has_roles - Links users to roles

Routes for Role Management

Role management routes are protected by authentication: 
Route::group(['middleware' => ['auth']], function () {
    Route::resource('roles', RolController::class);
});
Reference: routes/web.php:52-53 This creates the following routes:
  • GET /roles - List all roles
  • GET /roles/create - Show create form
  • POST /roles - Store new role
  • GET /roles/{id}/edit - Show edit form
  • PUT /roles/{id} - Update role
  • DELETE /roles/{id} - Delete role

Assigning Roles to Users

Roles are assigned when creating or updating users through the UsuarioController: 
// When creating a user
$user = User::create($input);
$user->assignRole($request->input('roles'));
Reference: app/Http/Controllers/UsuarioController.php:72-73 
// When updating a user
$user = User::find($id);
$user->update($input);
DB::table('model_has_roles')->where('model_id', $id)->delete();
$user->assignRole($request->input('roles'));
Reference: app/Http/Controllers/UsuarioController.php:131-136
When updating user roles, the system first removes all existing role assignments before assigning new ones to ensure consistency.

Checking Permissions in Controllers

You can protect controller methods using permission middleware: 
$this->middleware('permission:ver-rol|crear-rol', ['only'=>['index']]);
This ensures only users with the specified permissions can access those methods.

Role Display Utilities

The User model includes a helper method to get role colors: 
public function getRoleColor($roleName) {
    $role = \Spatie\Permission\Models\Role::where('name', $roleName)->first();
    return $role ? $role->color : null;
}
Reference: app/Models/User.php:57-60

Best Practices

1

Plan Your Permissions

Define clear, granular permissions for each feature (e.g., ver-rol, crear-rol, editar-rol, borrar-rol).
2

Use Middleware Protection

Always protect routes and controller methods with appropriate permission checks.
3

Sync Permissions Carefully

When updating roles, use syncPermissions() to ensure the role has exactly the permissions you intend.
4

Test Permission Changes

After modifying roles or permissions, test with different user accounts to verify access control works correctly.

Build docs developers (and LLMs) love

Get started for freeTalk to us