Access Control with Laratrust – WordPress-Like Blog Laravel 5.7 and AdminLTE 3 (17)

WordPress-Like Blog Laravel 5.7 and AdminLTE 3 (17) – Access Control

To make our application more secure, we need to limit users’ permission. To do this, we will implement Access Control List, or ACL or Role-Based Access Control (RBAC).

In this seventeenth part of creating WordPress-Like Blog using Laravel 5.7 and AdminLTE 3, we will :

  1. Create Access Control List
  2. Install Laratrust and Configure ACL Package
  3. Attach the Roles to Users
  4. Secure the Backend with the ACL
  5. Secure the Client Side

Create Access Control List

In our application, we will have five roles : The administrator, editor, and the author. Admin has full access. He is able to manage the posts, categories, and users.

The Editor has access to manage categories and post. They don’t have access to manage users.

The Author has only access to manage post they wrote.

Install Laratrust and Configure ACL Package

First, we need to install laratrust. From the terminal, type the installation command and wait until the installation has finished :

Open config/app.php and add these two lines inside Providers and Aliases section, respectively :

Next, we generate the package by typing this command :

There will be two available files inside config folder. The laratrust.php and laratrust_seeder.php

Next, do some laratrust migration to create the tables that laratrust needs :

This action will create a new migration file inside database/migrations folder, the laratrust_setup_tables.php.

Run the php artisan migrate command to create those tables. The tables created are roles, permissions, role_user, permission_user, and permission_role.

Create two new Models, the Role and Permission model inside App directory.

Change the Role.php to :

Change the Permission.php to :

Modify User.php model to include LaratrustTrait :

Attach The Roles to Users

We will create three roles, the admin, editor, and author. First create a seeder, RolesTableSeeder.php

Run the seeder from the terminal :

Secure the Backend with ACL

In the previous section we have created the role and permission for each user. Now we will try to implement this to our application. Modify layouts\backend\sidebar.blade.php so the menu visible only for the corresponding roles :

This doesn’t solve our problem as the user with author role will still be able to access another role’s page by inserting the correct url.

Create a new middleware :

This new file will appear inside app\Http\Middleware directory.

Let’s register this middleware on app\Http\Kernel.php

Now let’s implement this middleware to every backendcontroller by modify BackendController.php

This is the CheckPermissionsMiddleware.php

If the user login doesn’t have permission to perform action not listed in their role, the forbidden page will appear :

Access Control with Laratrust - WordPress-Like Blog Laravel 5.7 and AdminLTE 3 (17)

Secure the Client Side

After we successfully protect the backend permission, now we also need to do the same on the frontend section.

Let’s create a helper file to help us later. Create a new Helpers folder inside app Directory. Create permissions.php inside this folder :

Autoload this file by opening composer.json and add the file inside autoload section :

Open terminal and type this command :

Modify sidebar.blade.php

And modify CheckPermissionsMiddleware.php

Open table.blade.php inside backend/blog and do some modification :

Do the same with table-trash.blade.php

The current user only able to edit and delete their own post :

Access Control with Laratrust - WordPress-Like Blog Laravel 5.7 and AdminLTE 3 (17-2)

Before we end this part, let’s add another link to the right corner, to display only post by the current logged in user. Modify Backend\BlogController.php on statusList() and index() method :

Access Control with Laratrust - WordPress-Like Blog Laravel 5.7 and AdminLTE 3 (17-2) 3

Github commit.

1 thought on “Access Control with Laratrust – WordPress-Like Blog Laravel 5.7 and AdminLTE 3 (17)

  • hi thank u for ur code i have been following ur code but a problem has occured the roles are working perfectly if a person does not have the permission to access but the role to admin and editor are not assigned correctly can u help me

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.