This package adds a bouncer at Laravel's access gate.
Note: If you are upgrading from an earlier version of Bouncer, be sure to checkout the upgrade guide.
Bouncer provides a mechanism to handle roles and abilities in Laravel's ACL. With an expressive and fluent syntax, it stays out of your way as much as possible: use it when you want, ignore it when you don't.
For a quick, glanceable list of Bouncer's features, check out the cheat sheet.
Bouncer works well with other abilities you have hard-coded in your own app. Your code always takes precedence: if your code allows an action, the bouncer will not interfere.
Once installed, you can simply tell the bouncer what you want to allow at the gate:
// Give a user the ability to create posts
Bouncer::allow($user)->to('create', Post::class);
// Alternatively, do it through a role
Bouncer::allow('admin')->to('create', Post::class);
Bouncer::assign('admin')->to($user);
// You can also grant an ability only to a specific model
Bouncer::allow($user)->to('edit', $post);
When you check abilities at the gate, the bouncer will be consulted first. If he sees an ability that has been granted to the current user (whether directly, or through a role) he'll authorize the check.
Simply install the bouncer package with composer:
$ composer require silber/bouncer
Once the composer installation completes, you can add the service provider and alias the facade. Open config/app.php
, and make the following changes:
- Add a new item to the
providers
array:
Silber\Bouncer\BouncerServiceProvider::class,
- Add a new item to the
aliases
array:
'Bouncer' => Silber\Bouncer\BouncerFacade::class,
This part is optional. If you don't want to use the facade, you can skip step 2.
- Add the bouncer's trait to your user model:
use Silber\Bouncer\Database\HasRolesAndAbilities;
class User extends Model
{
use HasRolesAndAbilities;
}
- Now, to run the bouncer's migrations, first publish the package's migrations into your app's
migrations
directory, by running the following command:
php artisan vendor:publish --tag="bouncer.migrations"
- Finally, run the migrations:
php artisan migrate
Whenever you use the Bouncer
facade in your code, remember to add this line to your namespace imports at the top of the file:
use Bouncer;
For more information about Laravel Facades, refer to the Laravel documentation.
All queries executed by the bouncer are cached for the current request. For better performance, you may want to use cross-request caching. To enable cross-request caching, add this to your AppServiceProvider
's boot
method:
Bouncer::cache();
Warning: if you enable cross-request caching, you are responsible to refresh the cache whenever you make changes to user's abilities/roles. For how to refresh the cache, read refreshing the cache.
The table structure in Bouncer 1.0 has changed significantly. To upgrade, you'll have to update your database schema to the new structure.
If your app has not made it to production yet and you can still rollback your migrations, do that. Once you've rolled back all migrations, you can delete the Bouncer migration file and republish it to get the newer version:
php artisan vendor:publish --provider="Silber\Bouncer\BouncerServiceProvider" --tag="migrations"
For apps that are in production and already have real data in the database, Bouncer ships with an upgrade migration file which will migrate your schema and your data to the new structure.
Remember: Before migrating, be sure to run a full backup of your database! If anything goes wrong, you'll want to be able to restore from your backup.
After updating to Bouncer 1.0 through composer, run the following command:
php artisan bouncer:upgrade
This will create a new migration file under database/migrations
, and will automatically call artisan's migrate
command to migrate the database.
Congratulations, you're done with your upgrade!
If you have previously changed Bouncer's default table names, you will have to change them in this migration file. To prevent the bouncer:upgrade
command from actually migrating your database, call it with the no-migrate
flag:
php artisan bouncer:upgrade --no-migrate
This will create the migration file, but will not actually migrate the database. You can now manually edit the migration file to make any changes you need. After you've made the necessary changes, remember to run the php artisan migrate
command yourself.
Adding roles and abilities to users is made extremely easy. You do not have to create a role or an ability in advance. Simply pass the name of the role/ability, and Bouncer will create it if it doesn't exist.
Note: the examples below all use the
Bouncer
facade. If you don't like facades, you can instead inject an instance ofSilber\Bouncer\Bouncer
into your class.
Let's create a role called admin
and give it the ability to ban-users
from our site:
Bouncer::allow('admin')->to('ban-users');
That's it. Behind the scenes, Bouncer will create both a Role
model and an Ability
model for you.
To now give the admin
role to a user, simply tell the bouncer that the given user should be assigned the admin role:
Bouncer::assign('admin')->to($user);
Alternatively, you can call the assign
method directly on the user:
$user->assign('admin');
Sometimes you might want to give a user an ability directly, without using a role:
Bouncer::allow($user)->to('ban-users');
Here too you can accomplish the same directly off of the user:
$user->allow('ban-users');
Sometimes you might want to restrict an ability to a specific model type. Simply pass the model name as a second argument:
Bouncer::allow($user)->to('edit', Post::class);
If you want to restrict the ability to a specific model instance, pass in the actual model instead:
Bouncer::allow($user)->to('edit', $post);
The bouncer can also retract a previously-assigned role from a user:
Bouncer::retract('admin')->from($user);
Or do it directly on the user:
$user->retract('admin');
The bouncer can also remove an ability previously granted to a user:
Bouncer::disallow($user)->to('ban-users');
Or directly on the user:
$user->disallow('ban-users');
Note: if the user has a role that allows them to
ban-users
they will still have that ability. To disallow it, either remove the ability from the role or retract the role from the user.
If the ability has been granted through a role, tell the bouncer to remove the ability from the role instead:
Bouncer::disallow('admin')->to('ban-users');
To remove an ability for a specific model type, pass in its name as a second argument:
Bouncer::disallow($user)->to('delete', Post::class);
Warning: if the user has an ability to
delete
a specific$post
instance, the code above will not remove that ability. You will have to remove the ability separately - by passing in the actual$post
as a second argument - as shown below.
To remove an ability for a specific model instance, pass in the actual model instead:
Bouncer::disallow($user)->to('delete', $post);
Note: Generally speaking, you should not have a need to check roles directly. It is better to allow a role certain abilities, then check for those abilities instead. If what you need is very general, you can create very broad abilities. For example, an
access-dashboard
ability is always better than checking foradmin
oreditor
roles directly. For the rare occasion that you do want to check a role, that functionality is available here.
The bouncer can check if a user has a specific role:
Bouncer::is($user)->a('moderator');
If the role you're checking starts with a vowel, you might want to use the an
alias method:
Bouncer::is($user)->an('admin');
For the inverse, you can also check if a user doesn't have a specific role:
Bouncer::is($user)->notA('moderator');
Bouncer::is($user)->notAn('admin');
You can check if a user has one of many roles:
Bouncer::is($user)->a('moderator', 'editor');
You can also check if the user has all of the given roles:
Bouncer::is($user)->all('editor', 'moderator');
You can also check if a user has none of the given roles:
Bouncer::is($user)->notAn('editor', 'moderator');
These checks can also be done directly on the user:
$user->isAn('admin');
$user->isA('subscriber');
$user->isNotAn('admin');
$user->isNotA('subscriber');
$user->isAll('editor', 'moderator');
You can get all abilities for a user directly from the user model:
$abilities = $user->getAbilities();
This will return a collection of the user's abilities, including any abilities granted to the user through their roles.
Authorizing users is handled directly at Laravel's Gate
, or on the user model ($user->can($ability)
).
For convenience, the bouncer class provides two passthrough methods:
Bouncer::allows($ability);
Bouncer::denies($ability);
These call directly into the Gate
class.
Bouncer does not add its own blade directives. Since Bouncer works directly with Laravel's gate, simply use its @can
directive to check for the current user's abilities:
@can ('update', $post)
<a href="{{ route('post.update', $post) }}">Edit Post</a>
@endcan
Since checking for roles directly is generally not recommended, Bouncer does not ship with a separate directive for that. If you still insist on checking for roles, you can do so using the general @if
directive:
@if ($user->isAn('admin'))
//
@endif
All queries executed by the bouncer are cached for the current request. If you enable cross-request caching, the cache will persist across different requests.
Whenever you need, you can fully refresh the bouncer's cache:
Bouncer::refresh();
Note: fully refreshing the cache for all users uses cache tags if they're available. Not all cache drivers support this. Refer to Laravel's documentation to see if your driver supports cache tags. If your driver does not support cache tags, calling
refresh
might be a little slow, depending on the amount of users in your system.
Alternatively, you can refresh the cache only for a specific user:
Bouncer::refreshFor($user);
// Adding abilities for users
Bouncer::allow($user)->to('ban-users');
Bouncer::allow($user)->to('edit', Post::class);
Bouncer::allow($user)->to('delete', $post);
Bouncer::allow($user)->everything();
Bouncer::allow($user)->toManage(Post::class);
Bouncer::allow($user)->toManage($post);
Bouncer::allow($user)->toAlways('view');
Bouncer::allow($user)->toOwn(Post::class);
Bouncer::allow($user)->toOwnEverything();
// Removing abilities uses the same syntax, e.g.
Bouncer::disallow($user)->to('delete', $post);
Bouncer::disallow($user)->toManage(Post::class);
Bouncer::disallow($user)->toOwn(Post::class);
// Adding & removing abilities for roles
Bouncer::allow('admin')->to('ban-users');
Bouncer::disallow('admin')->to('ban-users');
// Assigning & retracting roles from users
Bouncer::assign('admin')->to($user);
Bouncer::retract('admin')->from($user);
$check = Bouncer::allows('ban-users');
$check = Bouncer::allows('edit', Post::class);
$check = Bouncer::allows('delete', $post);
$check = Bouncer::denies('ban-users');
$check = Bouncer::denies('edit', Post::class);
$check = Bouncer::denies('delete', $post);
$check = Bouncer::is($user)->a('subscriber');
$check = Bouncer::is($user)->an('admin');
$check = Bouncer::is($user)->notA('subscriber');
$check = Bouncer::is($user)->notAn('admin');
$check = Bouncer::is($user)->a('moderator', 'editor');
$check = Bouncer::is($user)->all('moderator', 'editor');
Bouncer::cache();
Bouncer::dontCache();
Bouncer::refresh();
Bouncer::refreshFor($user);
Some of this functionality is also available directly on the user model:
$user->allow('ban-users');
$user->allow('edit', Post::class);
$user->allow('delete', $post);
$user->disallow('ban-users');
$user->disallow('edit', Post::class);
$user->disallow('delete', $post);
$user->assign('admin');
$user->retract('admin');
$check = $user->isAn('admin');
$check = $user->isAn('editor', 'moderator');
$check = $user->isAll('moderator', 'editor');
$check = $user->isNot('subscriber', 'moderator');
$abilities = $user->getAbilities();
Bouncer is open-sourced software licensed under the MIT license