Access Permissions in Laravel 4

6

I'm developing a system in Laravel 4 based on Laravel's official tutorials and documentation. I have not seen anything related to (ACL) access permissions in Laravel. Knowing that my system will have several resources available, such as: News, Products, User Administration, among others, how could I practically make a page where I enter the permissions per module that each user will have access to?

I think of something where I register permissions (Admin, User, Editor) and then, in the user registry, I link some level. On the other hand, at the time of registering a user I could have checkbox options with the (edit, preview, delete) permission types of each specific module, and select the desired for each user. In this case, I would choose to give individual permissions per user or select a specific level for that user.

Does anyone have any basis that I could follow to develop this feature?

    
asked by anonymous 07.02.2014 / 13:46

1 answer

6

You can try Sentry 2 - a robust solution for authentication, authorization, and ACL. This library started as a bundle of Laravel, but evolved into a package that can be installed in other frameworks. Here is the specific link for integration with Laravel 4:

link

And follow the link to the permissions documentation:

link

If you prefer to build your own solution, instead of using a ready solution, my suggestion is to use three tables:

  • Your Users table.
  • A table of actions .
  • A many-to-many connection table linking the two (" users ")
  • You may also want to consider:

  • A table of levels .
  • A many-to-many connection table linking tiers with actions (" tiers ")
  • In this case, you can either delete the table "users_auts" and save only a "id_level" in the "users" table, applying only level permissions ... or keep the "user_users" table and apply a level to a user - which would copy actions from "level" to "user", but still allowing individual fine-tuning. This would be the most robust version.

    You will have the job of defining actions in the "actions" table, and defining which actions each "level" can perform and / or which actions each user can perform.

    In addition to the structure and storage in the database, you will need some filter or other mechanism that checks whether or not the user is allowed to perform certain action.

    And, to a finer degree, you may want the interface itself to display or not interaction elements, based on permissions.

    I've already assembled a CMS with all that I'm describing above - each user sees only the options in the menu and the buttons of the actions that are allowed. It was really cool. Of course, on the backend the system checks the permissions - because if the difference is only in the interface, a user would be able to be successful in forging an HTTP request for an action that he is not allowed to perform. >

    I went further: a user who has permission to give / remove permissions from other users can only "delegate" those actions that he himself has permission to execute. In the interface, made in ExtJS, a "checkbox-tree" appears, where you can mark / unmark a whole group of actions at once, or each one individually ...

    Here are the tips and comments.

        
    07.02.2014 / 16:40