Awesome Open Source
Awesome Open Source

Build Status codecov StyleCI Latest Stable Version Total Downloads Monthly Downloads License


Eloquent Guardian

Eloquent Guardian is a simple permissions system for your users. While there are many other packages for permissions, this one solves everything in the most eloquent way.


Install the package:

$ composer require rennokki/guardian

If your Laravel version does not support package discovery, add this line in the providers array in your config/app.php file:


Publish the config file & migration files:

$ php artisan vendor:publish

Migrate the database:

$ php artisan migrate

Add the HasPermissions trait to your Eloquent model:

use Rennokki\Guardian\Traits\HasPermissions;

class User extends Model {
    use HasPermissions;

Types of permissions

  • String Type is just a string, it's not related to any model. It is good for permissions that holds accessing abilities or features.
  • Global Type is related to a model, but not to a specific one. It can control any model with any ID if set.
$user->allow('edit', Post::class);
  • Global Specific Type is related to a specific model. It cannot control any other model than this specific one.
$user->allow('edit', App\Post::class, 'post_id_here');

Checking permissions

You can check permissions within the model using can(), cannot() or cant().

$user->cant('sell.products'); // alias to cannot()

If your user has a permission for an action on a model, it will have access to any model passed with any ID.

$user->allow('view', \App\Flight::class);
$user->can('view', \App\Flight::class, 1); // true, can view flight with ID 1

Allowing and Unprohibiting permissions

Allowing or Unprohibiting produces a grant access to that permission.

$user->unprohibit('cloning'); // same as allow

Disallowing and Prohibiting permissions

Disallowing or Prohibiting permissions can be done whenever. The result will always be the same: a denied access.

$user->prohibit('commenting'); // same as disallow

Global Type over Specific Type

Let's say you have a Post class and the user is only allowed to edit or delete only his own posts. Using this way, whenever you check for a Global Type, it will return false, but not if you check for Specific Type.

$user->allow('edit', Post::class, 'his_post_id');
$user->allow('delete', Post::class, 'his_post_id');

$user->can('edit', Post::class); // false
$user->can('edit', Post::class, 'his_post_id'); // true

If you allow the user to edit the Post::class, it will be able to edit any class, with any ID.

$user->allow('edit', Post::class);
$user->can('edit', Post::class, 1); // true


You can use the methods within the model as-is, or you can use a middleware to filter permissions for the current authenticated user.

For this, you should add the middleware to your $routeMiddleware array from app\Http\Kernel.php

'guardian' => \Rennokki\Guardian\Middleware\CheckPermission::class,

You can use it in your routes to filter permissions automatically and throw specific exceptions when something occurs.

  • String Middleware
Route::get('/admin', '[email protected]')->middleware('guardian:access.dashboard');
  • Global Type
Route::post('/admin/products', '[email protected]')->middleware('guardian:create,App\Product');
  • Global Specific Type
Route::patch('/admin/{post_id}', '[email protected]')->middleware('guardian:edit,App\Post,post_id');

Note: Instead of putting a specific Post ID, you have just to indicate where the ID of that model will be placed in the route URL.

  • Rennokki\Guardian\Exceptions\PermissionException, if the authenticated user doesn't have permissions.
  • Rennokki\Guardian\Exceptions\RouteException, if the passed route parameter is non-existent.

You can access permission(), modelType() and modelIdPlaceholder() methods within the exception to handle your exception further.

Get A Weekly Email With Trending Projects For These Topics
No Spam. Unsubscribe easily at any time.
php (16,476
laravel (1,646
package (272
model (111
eloquent (106
permissions (78
permission (50
can (23