如何在内置的Laravel身份验证的基础上构建特权系统?
I need to build some type of privileges system where I can control who can perform what on my app. I have seen many ready packages online, but none that stood out where I can utilize it to handle my needs without hard coding my permissions/templates.
My thoughts are to create a Middleware that will do an authentication against the logged in use. If I have the following routes
Route::get('accounts', array(
'as' => 'accounts_index_path',
'uses' => 'AccountController@index')
);
Route::get('account/create', array(
'as' => 'account_create_path',
'uses' => 'AccountController@create')
);
Route::post('account/store', array(
'as' => 'account_store_path',
'uses' => 'AccountController@store')
);
Route::get('account/{account}', array(
'as' => 'account_show_path',
'uses' => 'AccountController@show')
)->where('account', '[0-9]+');
Route::get('account/{account}/edit', array(
'as' => 'account_edit_path',
'uses' => 'AccountController@edit')
)->where('account', '[0-9]+');
Route::put('account/{account}/update', array(
'as' => 'account_update_path',
'uses' => 'AccountController@update')
)->where('account', '[0-9]+');
Route::delete('account/{account}', array(
'as' => 'account_destroy_path',
'uses' => 'AccountController@destroy')
)->where('account', '[0-9]+');
In theory, I should be able to give a user access to the following route names "account_store_path", "'account_create_path", "accounts_index_path" ...
Perhaps, if I don't want a user to access a specific route then I will not give them permissions.
In theory this should work, but I want to have more robust system where I can give a user access to edit a record but not for all fields. For example I want a user with a "manager" role to be able to change the account name, account owner but I don't want a user with a "standard" role to edit these field but I want the standard user to be able to update the notes fields and other fields.
Just to be clear, I understand I will probably need to create a template with all the allowed permissions and then assign uses to the correct template.
I need help trying to design the best approach for such a privilege system when I have power over who can update what.
Question How can I allow/disallow a user to update some fields but not others?
It is possible to build Roles in Laravel. There is a video tutorials to build your own Roles system on to of the User Authentication. Follow this link https://laracasts.com/lessons/users-and-roles It is done for Laravel 4.2 but with minor change you should be able to make it for Laravel 5.x. I have did it on 4.2, 5.0 and 5.1 it works. When you finish you make groups like admin, super users, update users etc. depending on your privilege structure gives different group different rights.
A couple of links regarding this topic to read:
https://laracasts.com/discuss/channels/laravel/which-package-is-best-for-roles-permissions/?page=2
https://laracasts.com/discuss/channels/general-discussion/users-and-roles-1
EDIT
I have answered another question in more details, it might be relevant to look at it also:
Laravel 5.1 multiple authentication