Simple rules for writing authorization logic

A little bit of structure goes a long way

Joel Clermont
Joel Clermont

Laravel doesn't really enforce any particular structure when it comes to organizing your authorization logic.

To keep things consistent, here are some simple rules I follow:

  • Use the fantastic spatie/laravel-permission package, don't hand roll your own logic
  • Assign permissions to roles, not to individual users
  • Assign roles to users
  • Always check permissions, never check roles
  • The roles/permissions mapping should be setup in data migrations, and not dynamically managed through the UI

Your mileage may vary. If you're building a super large app, have specialized authorization needs, or are releasing an open source project, you might not be able to follow all these rules.

But in our typical app, every time I've strayed from these rules, it's become a mess and introduced unnecessary complexity.

Here to help,


P.S. Curious why we don't like managing the roles/permissions through the UI? We discuss in more detail on this podcast episode.

Toss a coin in the jar if you found this helpful.
Want a tip like this in your inbox every weekday? Sign up below 👇🏼

Level up your Laravel skills!

Each 2-minute email has real-world advice you can use.