Working with Vanguard Permissions

Vanguard comes with some default permissions but, if some of them does not fit your needs, they can be easily modified. Adding new permissions is a breeze too.

In this example we will add 3 more different permissions: View User, Edit User and Remove User. Those permissions will allow us to have some users be able to access the users section, but some of them won't be able to do anything else than to edit user or view their profiles.

Creating Permissions

All permissions can be created through the UI, like it is explained in roles and permissions section.

Created permissions for this example have have following details:

Display Name Name
View User user.view
Edit User user.edit
Remove User user.remove

Updating View Template

Now, since we have those permissions created, we need to update the view that is used for displaying users list. The HTML used for displaying the list of users is located inside resources/views/user/list.blade.php view file.

Our goal is to display buttons for editing, viewing or removing some user only if currently logged in user has the appropriate permission. In order to display something based on user's permissions, we just have to surround that HTML with following Blade directives:

@permission('user.view')
    // Anything here will be displayed only
    // if currently logged in user has "user.view" permission
@endpermission

So, to apply this to our use-case, we will surround those buttons like following:

@permission('user.view')
    <a href="{{ route('user.show', $user->id) }}" 
       class="btn btn-success btn-circle"
       title="View User" data-toggle="tooltip" data-placement="top">
       <i class="glyphicon glyphicon-eye-open"></i>
    </a>
@endpermission

// Do the same for all 3 buttons

Since view is now updated, if you access the yourdomain.com/user URL, you won't see those buttons for viewing, editing and removing users. But, as you probably already guessed, you are still able to edit some user by directly accessing the following URL yourdomain.com/user/USER_ID/edit. That's because the process is not completed yet, and you have to update your routes or controller.

Applying the Permissions

Removing the buttons from users list is not actually protecting the application. If users type a specific URL directly in the browser's address bar, they will be able to access the desired page. In order to protect this, we have to apply permission middleware.

This can be done in two ways. We can update the controller and add middleware directly inside the controller's constructor, or we can update routes/web.php file and apply middleware to a specific route.

In this example, we will add the permission middleware inside the UsersController. If you want to learn more about adding middleware on the route level, please check Laravel's documentation.

Updating UsersController

One way to protect our pages and make them available only for users with specific permissions is to add middleware directly to the controller's constructor. For our example, we have to edit app/Http/Controllers/Web/Users/UsersController.php controller and add the following code inside its __construct method:

$this->middleware('permission:user.view', ['only' => 'show']);

$this->middleware('permission:user.edit', ['only' => 'edit']);

$this->middleware('permission:user.remove', ['only' => 'destroy']);

After applying middleware to the controller's methods (theĀ only option provided as the second argument means that permission middleware should only be applied to specified methods inside the controller), Vanguard will throw 403 Forbidden exceptions whenever someone tries to access the protected URL, and it will make that part of the system available only for users with appropriate permissions.

NOTE: This is just an example. Make sure that you add the permissions to other controllers inside the "app/Http/Controllers/Web/Users" folder to make sure that only users with specific permissions can be able directly send some HTTP requests to the any of the routes tied to those controllers and bypass the permissions check.