Laravel Authorization With Spatie Permissions: A Comprehensive Guide

Aug 9, 2025 by Pedro Alvarez 69 views

Authorization Discussion: Spatie Permissions for Inventory SaaS

Hey guys! Let's dive into setting up authorization for our inventory SaaS project using Spatie Permissions. We'll be focusing on creating roles, assigning permissions, and seeding our database for tenants, products, warehouses, and inventory stocks. It's gonna be a fun ride, so buckle up!

Understanding Spatie Permissions

Before we jump into the code, let's quickly recap what Spatie Permissions is all about. Think of it as a super flexible and powerful package for Laravel that makes managing user permissions a breeze. It allows us to define roles and permissions, and then assign these roles to users. This way, we can control exactly what each user can do within our application. For our inventory SaaS, this is crucial because we need to ensure that different users (like admins, warehouse managers, or regular employees) have access to different parts of the system.

With Spatie Permissions, we can easily define permissions like create-product, edit-warehouse, view-inventory, and so on. Then, we can create roles like admin, warehouse-manager, and inventory-clerk, and assign the appropriate permissions to each role. For example, the admin role might have all permissions, while the warehouse-manager role might only have permissions related to managing warehouses and inventory. This granular control is essential for maintaining the security and integrity of our data.

One of the coolest things about Spatie Permissions is its flexibility. It integrates seamlessly with Laravel's built-in authentication system and provides various ways to check permissions, such as using middleware, blade directives, and simple can() checks in our code. This makes it super easy to implement authorization logic throughout our application. Plus, it supports multiple guards, so we can even manage permissions for different types of users or entities within the same application. For instance, we could have one guard for regular users and another guard for API clients.

To get started with Spatie Permissions, we first need to install the package via Composer. It’s as simple as running composer require spatie/laravel-permission. Once installed, we need to publish the migration and configuration files using php artisan vendor:publish --provider="Spatie\Permission\PermissionServiceProvider". This will create a migration file in our database/migrations directory and a configuration file in our config directory. We can then run the migration using php artisan migrate to create the necessary tables in our database. These tables will store our roles, permissions, and role-permission relationships. After the migration, we can start defining our roles and permissions in our code or using seeders.

Setting Up Roles and Permissions

Now, let's get our hands dirty and start setting up roles and permissions for our inventory SaaS. We'll begin by defining the roles we need. For our application, we'll have roles like super-admin, tenant-admin, warehouse-manager, and inventory-clerk. The super-admin will have all permissions, the tenant-admin will manage tenants, the warehouse-manager will oversee warehouse operations, and the inventory-clerk will handle inventory-related tasks.

Next, we'll define the permissions. These will correspond to the different actions users can perform within our application. We'll have permissions like create-tenant, edit-tenant, delete-tenant, view-tenant, create-product, edit-product, delete-product, view-product, create-warehouse, edit-warehouse, delete-warehouse, view-warehouse, create-inventory, edit-inventory, delete-inventory, and view-inventory. Each of these permissions will allow users to perform specific actions on the corresponding entities.

To create these roles and permissions, we can use the Spatie Permissions models directly in our code. For example, to create the super-admin role, we can use Role::create(['name' => 'super-admin']);. Similarly, to create the create-product permission, we can use Permission::create(['name' => 'create-product']);. Once we have created the roles and permissions, we need to assign the permissions to the appropriate roles. For instance, to give the super-admin role all permissions, we can use $role = Role::findByName('super-admin'); $role->givePermissionTo(Permission::all());. This will attach all existing permissions to the super-admin role.

For the tenant-admin role, we might give permissions like create-tenant, edit-tenant, delete-tenant, view-tenant, create-product, edit-product, delete-product, and view-product. For the warehouse-manager role, we might give permissions like create-warehouse, edit-warehouse, delete-warehouse, view-warehouse, create-inventory, edit-inventory, and view-inventory. And for the inventory-clerk role, we might only give permissions like view-inventory and edit-inventory. This way, we can ensure that each role has the necessary permissions to perform its tasks without being able to access other parts of the system.

Seeding the Database

Okay, now that we have a good understanding of roles and permissions, let's create a seeder to populate our database with these roles and permissions. Seeders are super handy because they allow us to pre-fill our database with initial data, making it easier to test and develop our application. We'll create a seeder that creates the roles and permissions we discussed earlier, and then assigns the permissions to the roles.

To create a seeder, we can use the php artisan make:seeder command. For our authorization setup, let's create a seeder called RolesAndPermissionsSeeder. We can run php artisan make:seeder RolesAndPermissionsSeeder to generate the seeder file in the database/seeders directory. Inside this file, we'll define the logic to create our roles and permissions.

The run method of our seeder will contain the code to create the roles and permissions. We'll use the Role::create() and Permission::create() methods to create the roles and permissions, and then use the $role->givePermissionTo() method to assign the permissions to the roles. For example, our run method might look something like this:

use Spatie\Permission\Models\Role;
use Spatie\Permission\Models\Permission;
use Illuminate\Database\Seeder;

class RolesAndPermissionsSeeder extends Seeder
{
    public function run()
    {
        // Reset cached roles and permissions
        app()['cache']->forget('spatie.permission.cache');

        // Create permissions
        Permission::create(['name' => 'create-tenant']);
        Permission::create(['name' => 'edit-tenant']);
        Permission::create(['name' => 'delete-tenant']);
        Permission::create(['name' => 'view-tenant']);
        Permission::create(['name' => 'create-product']);
        Permission::create(['name' => 'edit-product']);
        Permission::create(['name' => 'delete-product']);
        Permission::create(['name' => 'view-product']);
        Permission::create(['name' => 'create-warehouse']);
        Permission::create(['name' => 'edit-warehouse']);
        Permission::create(['name' => 'delete-warehouse']);
        Permission::create(['name' => 'view-warehouse']);
        Permission::create(['name' => 'create-inventory']);
        Permission::create(['name' => 'edit-inventory']);
        Permission::create(['name' => 'delete-inventory']);
        Permission::create(['name' => 'view-inventory']);

        // Create roles and assign permissions
        $superAdminRole = Role::create(['name' => 'super-admin']);
        $superAdminRole->givePermissionTo(Permission::all());

        $tenantAdminRole = Role::create(['name' => 'tenant-admin']);
        $tenantAdminRole->givePermissionTo(['create-tenant', 'edit-tenant', 'delete-tenant', 'view-tenant', 'create-product', 'edit-product', 'delete-product', 'view-product']);

        $warehouseManagerRole = Role::create(['name' => 'warehouse-manager']);
        $warehouseManagerRole->givePermissionTo(['create-warehouse', 'edit-warehouse', 'delete-warehouse', 'view-warehouse', 'create-inventory', 'edit-inventory', 'view-inventory']);

        $inventoryClerkRole = Role::create(['name' => 'inventory-clerk']);
        $inventoryClerkRole->givePermissionTo(['view-inventory', 'edit-inventory']);
    }
}

In this seeder, we first reset the Spatie Permissions cache to ensure that our changes are reflected immediately. Then, we create all the permissions we need for our application. After that, we create the roles and assign the appropriate permissions to each role. This way, when we seed our database, we'll have all the roles and permissions set up and ready to go.

To run the seeder, we need to add it to the DatabaseSeeder class. We can do this by adding $this->call(RolesAndPermissionsSeeder::class); to the run method of the DatabaseSeeder class. Then, we can run the seeder using the php artisan db:seed command. This will execute our RolesAndPermissionsSeeder and populate our database with the roles and permissions.

Applying Permissions in Our Application

Alright, we've set up our roles and permissions, and seeded our database. Now, let's talk about how to actually apply these permissions in our application. Spatie Permissions provides several ways to check permissions, including middleware, blade directives, and direct can() checks in our code. We'll explore each of these methods and see how they can help us protect our application.

One of the most common ways to apply permissions is using middleware. Middleware allows us to intercept requests before they reach our controllers and check if the user has the required permissions. Spatie Permissions provides a permission middleware that we can use to protect our routes. For example, if we want to protect a route that creates a product, we can add the permission:create-product middleware to that route.

In our routes/web.php file, we can define a route like this:

Route::post('/products', [ProductController::class, 'store'])->middleware('permission:create-product');

This route will only be accessible to users who have the create-product permission. If a user without this permission tries to access the route, they'll receive a 403 Forbidden error. This is a super clean and effective way to protect our routes and ensure that only authorized users can perform certain actions.

Another way to apply permissions is using blade directives. Spatie Permissions provides several blade directives that we can use in our views to conditionally display content based on the user's permissions. For example, we can use the @can directive to only show a button if the user has the edit-product permission:

@can('edit-product')
    <button>Edit Product</button>
@endcan

This will only render the