kodeine/laravel-acl

Permissions slug

eleftrik opened this issue · 1 comments

I can't fully understand permissions slug.
Let's pretend I've got to manage a single permission, for example 'create users', which I could attach to a role or to a single user.
I would expect to have, as slug, something like create.users (like romanbican/roles does: https://github.com/romanbican/roles).
Instead, I have a single permission, e. g. users, with its ID, with a slug containing multiple properties, e. g. {"create": true,"delete": false,"update": false}.
But, this way, isn't this single ID representing multiple permissions?
How can I attach a single "verb" (e. g. user.delete) to a specific role or user?
Thank you.

@eleftrik
Here is how I do that.

// Roles.

define('ROLE_ADMIN', 'admin');
define('ROLE_SITE_MANAGER', 'site-manager');
define('ROLE_MODERATOR', 'moderator');

$roles = [
    [
        'name'        => 'Admin',
        'slug'        => ROLE_ADMIN,
        'description' => 'Full access to website',
    ],
    [
        'name'        => 'Site Manager',
        'slug'        => ROLE_SITE_MANAGER,
        'description' => 'Access to certain website functions',
    ],
    [
        'name'        => 'Moderator',
        'slug'        => ROLE_MODERATOR,
        'description' => 'Access to posts',
    ],
];
foreach ($roles as $role_definition) {
    $role = new Role();
    $role->create($role_definition);
}

// Permissions.

// Main permissions (for admin and inheritance).
$permissions = [
    [
        'name'        => 'user',
        'slug'        => [
            'create'       => true,
            'view'         => true,
            'update'       => true,
            'delete'       => true,
            'change.image' => true,
        ],
        'description' => 'Manage users'
    ],
    [
        'name'        => 'post',
        'slug'        => [
            'create'            => true,
            'view'              => true,
            'update'            => true,
            'delete'            => true,
            'send.notification' => true,
        ],
        'description' => 'Manage posts'
    ],
];
$ps          = $permissions;
$permissions = [ ];
foreach ($ps as $definition) {
    $permission                       = new Permission();
    $permission                       = $permission->create($definition);
    $permissions[$definition['name']] = $permission->getKey();
}

// Other permissions.
$other_permissions = [
    // Site Manager.
    [
        'name'        => 'user.site-manager',
        'slug'        => [
            // An array of permissions only for Site Manager (overwriting inherited permissions)
            'create'       => false,
            'update'       => false,
            'delete'       => false,
            'change.image' => false,
        ],
        // We use permission inheriting.
        'inherit_id'  => $permissions['user'],
        'description' => 'Manage users (Site Manager)'
    ],
    [
        'name'        => 'post.site-manager',
        'slug'        => [
            // An array of permissions only for Site Manager (overwriting inherited permissions)
            'update'            => false,
            'delete'            => false,
            'send.notification' => false,
        ],
        // We use permission inheriting.
        'inherit_id'  => $permissions['post'],
        'description' => 'Manage posts (Site Manager)'
    ],

    // Moderator.
    [
        'name'        => 'post.moderator',
        'slug'        => [
            // An array of permissions only for Moderator (overwriting inherited permissions)
            // He have all permissions enabled by-default though.
        ],
        // We use permission inheriting.
        'inherit_id'  => $permissions['post'],
        'description' => 'Manage posts (Moderator)'
    ],

];
$ps                = $other_permissions;
$other_permissions = [ ];
foreach ($ps as $definition) {
    $permission                             = new Permission();
    $permission                             = $permission->create($definition);
    $other_permissions[$definition['name']] = $permission->getKey();
}

// Role Permissions.
$role_permissions = [
    ROLE_ADMIN        => [
        'user',
        'post',
    ],
    ROLE_SITE_MANAGER => [
        'user.site-manager',
        'post.site-manager',
    ],
    ROLE_MODERATOR    => [
        'post.moderator',
    ],
];

foreach ($role_permissions as $role_slug => $permissions) {
    $role = Role::where('slug', $role_slug)->first();
    $role->assignPermission($permissions);
}

We have three roles for different purposes. Then we have created two permission sets for users and posts. That way we can inherit them and assign these inherited permissions to certain roles. In my opinion, that allows you to reuse permissions and have much less database queries because slug is just a simple string that could be cached easily. Of course, you can create permissions with a single slug value, but I think that would be ineffective.

You can also assign certain permissions to users directly like that:

$user = User::first();

// create crud permissions
// create.user, view.user, update.user, delete.user
// returns false if alias exists.
$user->addPermission('user');

// update permission on user alias
// set its permission to false
$user->addPermission('update.user', false);
$user->addPermission('view.phone.user', true);

// pass permissions array to user alias
$user->addPermission('user', [
     'view.phone' => true, 
     'view.blog' => false
]);

See wiki.