I'm working with Laravel 8.5 and I wanted to develop my own ACL.

So I made this ManyToMany relationship between Permission & User models:

User.php:

public function permissions()
    {
        return $this->belongsToMany(Permission::class);
    }

Permission.php:

public function users()
    {
        return $this->belongsToMany(User::class);
    }

Then I have inserted this custom permission into permissions table:

And then inserted this also into the pivot table pemrission_user:

Then at web.php, I tried this:

Route::get('/', function () {
    $user = auth()->user();
    // dd($user->permissions()->get());
    if(Gate::allows('edit-user')){
        dd(2);
    }else{
        dd(1);
    }
});

So I tried checking if the logged in user has the permission edit-user, then shows 2 as result but now it returns 1 somehow, meaning that user has not this permission!

However if I uncomment dd($user->permissions()->get());, I can see this:

So as it shows user already has this edit-user permission but I don't why the Gate does not authorize user in this case.

So if you know, I beg you to help me cause I really don't know how to solve this...

CodePudding user response：

You need to define edit-user for your Gate as well because your permission model means nothing to the Gate at the moment.

Gate::define('edit-user', function (User $user) {
    return $user->permissions()->whereName('edit-user')->exists();
});

More information can be found here: https://laravel.com/docs/8.x/authorization#writing-gates

Otherwise, you can use policies:

class UserPolicy
{
    public function update(User $user)
    {
        return $user->permissions()->whereName('edit-user')->exists();
    }
}

And then to allow the user:

$user->can('update', User::make());

More information about policies can be found here: https://laravel.com/docs/master/authorization#creating-policies

There's also an open source package called laravel-permission made by Spatie that you can have a look at to learn more.