Laravel doesn't really enforce any particular structure when it comes to organizing your authorization logic.
To keep things consistent, here are some simple rules I follow:
- Use the fantastic spatie/laravel-permission package, don't hand roll your own logic
- Assign permissions to roles, not to individual users
- Assign roles to users
- Always check permissions, never check roles
- The roles/permissions mapping should be setup in data migrations, and not dynamically managed through the UI
Your mileage may vary. If you're building a super large app, have specialized authorization needs, or are releasing an open source project, you might not be able to follow all these rules.
But in our typical app, every time I've strayed from these rules, it's become a mess and introduced unnecessary complexity.
Here to help,
Joel
P.S. Curious why we don't like managing the roles/permissions through the UI? We discuss in more detail on this podcast episode.