Laravel Eloquent roles and abilities.
Forbid abilities. You can now forbid abilities for more granular control. https://github.com/JosephSilber/bouncer/commit/865227ba0d0de74661ffe2e3afc79e1926367c9e
Bouncer::allow($user)->to('delete', Post::class);
$post1 = Post::where('title', 'Regular post')->first();
$post2 = Post::where('title', 'Very important post')->first();
Bouncer::forbid($user)->to('delete', $post2);
Bouncer::allows('delete', $post1); // true
Bouncer::allows('delete', $post2); // false
Here's another example:
Bouncer::allow('superadmin')->everything();
Bouncer::allow('admin')->everything();
Bouncer::forbid('admin')->toManage(User::class);
The admin
role can now do everything, besides managing users.
Easily add a title to an ability. You can now pass additional attributes for the ability model being created. https://github.com/JosephSilber/bouncer/commit/7036b52dc293929ce836bab74194bcc574f37718
Bouncer::allow($user)->to('edit', Post::class, [
'title' => 'Edit all posts',
]);
Bouncer factory. It is now easier than ever to use bouncer outside of Laravel. https://github.com/JosephSilber/bouncer/commit/a1b7137423bbe2348848cd066ba6ec4faf8a720a
$bouncer = Bouncer::create();
// use $bouncer
$bouncer->allow($user)->to('access-dashboard');
You can also pass along a $user
instance to be able to check abilities for that user:
$bouncer = Bouncer::make()->withUser($user)->create();
$bouncer->allows('access-dashboard');
Support Laravel 5.4.31, which broke Bouncer.
Greatly enhanced granting multiple roles/abilities at once:
// Assign multiple roles:
Bouncer::assign(['admin', 'editor'])->to($user);
// Allow multiple abilities:
Bouncer::allow($user)->to(['access-dashboard', 'ban-users']);
// Also works with model abilities:
Bouncer::allow($user)->to(['edit', 'delete'], Post::class);
Bouncer::allow($user)->to(['edit', 'delete'], $post);
// And even with multiple models:
Bouncer::allow($user)->to('delete', [Post::class, Category::class]);
Bouncer::allow($user)->to(['edit', 'delete'], [Post::class, Category::class]);
// Go crazy and pass it an associative array with whatever you want:
Bouncer::allow($user)->to([
'create' => Post::class,
'view' => User::class,
'edit' => $user,
]);
isNot
method from the HasRoles
trait. Use isNotA
and isNotAn
instead.Support for Laravel 5.3
Support for PHP 7.1
Added can
, cannot
and cant
methods on roles, to check abilities directly on a role. https://github.com/JosephSilber/bouncer/commit/d1b11870117deb0579c92868752444d7ded48d30
New IsRole
and IsAbility
traits, so that custom models don't have to extend Bouncer's models. https://github.com/JosephSilber/bouncer/commit/151094d8be4e7950b427efb6b78b2113a4712064
New define
method on the Bouncer
class, to allow defining callbacks on the gate. https://github.com/JosephSilber/bouncer/commit/9f7d0c3e2a7ef16f8533469cd2a0470f1c8504f1
Roles and Abilities now have a title
column, to optionally add a display name. https://github.com/JosephSilber/bouncer/commit/558f69321a3b6a9b1285732077846243a2a0c504
Usage:
// Creating a role with a title
$role = Bouncer::role()->create([
'name' => 'site-admin',
'title' => 'Site Administrator',
]);
Bouncer::allow($role)->to('delete', Post::class);
// Creating an ability with a title
$ability = Bouncer::ability()->create([
'name' => 'ban-users',
'title' => 'Ban users',
]);
Bouncer::allow($user)->to($ability);
// Creating an ability for a model with a title
$ability = Bouncer::ability()->createForModel(Post::class, [
'name' => 'edit',
'title' => 'Edit posts',
]);
Bouncer::allow($user)->to($ability);
Removed the Authorize
middleware and AuthorizesResources
trait, since they'e been merged directly into Laravel https://github.com/JosephSilber/bouncer/commit/0c2ceaa6e8915699de8cc29e92d30d7a50a0efaf
Renamed $user->is($role)
to $user->isAn($role)
and $user->isA($role)
, for compatibility with Laravel 5.3. https://github.com/JosephSilber/bouncer/commit/145bf653015ce6ba1a9c42999805158ef7c4cc40
There are also some schema changes, to prepare for upcoming features. The goal is to not need any more schema changes from this point till the launch of 1.0 (we'll see).
If you're upgrading from 0.x to alpha 2, follow the upgrade guide in the docs.
If you're upgrading from alpha 1 to alpha 2, run this migration:
Schema::table('abilities', function (Blueprint $table) {
$table->string('name', 150)->change();
$table->string('entity_type', 150)->nullable()->change();
$table->string('title')->nullable()->after('name');
$table->boolean('only_owned')->default(false)->after('entity_type');
$table->dropUnique('abilities_name_entity_id_entity_type_unique');
$table->unique(['name', 'entity_id', 'entity_type', 'only_owned']);
});
Schema::table('roles', function (Blueprint $table) {
$table->string('title')->nullable()->after('name');
$table->integer('level')->unsigned()->nullable()->after('name');
});
Polymorphic structure: Bouncer now uses a new polymorphic database schema, so that you can attach roles and abilities to any model (see here how to upgrade your schema).
Wildcard abilities: you can now use wildcards to allow a wide spread of abilities:
Bouncer::allow($user)->to('edit', '*');
Bouncer::allows('edit', $post) == true;
For more information on wildcards, see this discussion: #56
whereAssignedTo
query scope: Role::whereAssignedTo($users)
will return all roles assigned to those users.
whereCannot
query scope: User::whereCannot('edit', Post::class)
will return all users that can't edit posts.
The following is what's holding up the 1.0 stable release:
before
callback may be missing.--prefer-lowest
to the Travis matrix to catch these incompatibilities in the future.Fix regression for Laravel 5.1, where the arguments were passed in separately.
Bouncer::exclusive()
to have Bouncer deny any abilities that have not been granted via Bouncer. This will cause the Gate to skip any abilities that you have defined in your code.Bouncer::tables([
'abilities' => 'my_abilities',
'roles' => 'my_roles',
]);
users
table.Support for Laravel 5.2
You can now scope user queries by whether they have a particular ability:
$users = User::whereCan('view-dashboard')->get();
$users = User::whereCan('delete', $post)->get();
$users = User::whereCan('delete', Post::class)->get();
You can also directly query roles that have specific abilities:
$roles = Bouncer::role()->whereCan('view-dashboard')->get();
$roles = Bouncer::role()->whereCan('delete', $post)->get();
$roles = Bouncer::role()->whereCan('delete', Post::class)->get();
Finally, you can query users on whether they have a specific role:
$users = User::whereIs('admin')->get();
$users = User::whereIs('admin', 'moderator')->get();
$users = User::whereIsAll('reader', 'contributor')->get();