New

• Forbid abilities. You can now forbid abilities for more granular control. https://github.com/JosephSilber/bouncer/commit/865227ba0d0de74661ffe2e3afc79e1926367c9e

  Bouncer::allow($user)->to('delete', Post::class);
  
  $post1 = Post::where('title', 'Regular post')->first();
  $post2 = Post::where('title', 'Very important post')->first();
  
  Bouncer::forbid($user)->to('delete', $post2);
  
  Bouncer::allows('delete', $post1); // true
  Bouncer::allows('delete', $post2); // false
  

  Here's another example:

  Bouncer::allow('superadmin')->everything();
  
  Bouncer::allow('admin')->everything();
  Bouncer::forbid('admin')->toManage(User::class);
  

  The admin role can now do everything, besides managing users.

• Easily add a title to an ability. You can now pass additional attributes for the ability model being created. https://github.com/JosephSilber/bouncer/commit/7036b52dc293929ce836bab74194bcc574f37718

  Bouncer::allow($user)->to('edit', Post::class, [
      'title' => 'Edit all posts',
  ]);
  

• Bouncer factory. It is now easier than ever to use bouncer outside of Laravel. https://github.com/JosephSilber/bouncer/commit/a1b7137423bbe2348848cd066ba6ec4faf8a720a

  $bouncer = Bouncer::create();
  
  // use $bouncer
  $bouncer->allow($user)->to('access-dashboard');
  

  You can also pass along a $user instance to be able to check abilities for that user:

  $bouncer = Bouncer::make()->withUser($user)->create();
  
  $bouncer->allows('access-dashboard');
  

Breaking Changes

• Removed exclusivity option. https://github.com/JosephSilber/bouncer/commit/280d7bbfdaca5f82172da7a42994bf4356bdbdc7

New

• Support Laravel 5.4.31, which broke Bouncer.

• Greatly enhanced granting multiple roles/abilities at once:

  // Assign multiple roles:
  Bouncer::assign(['admin', 'editor'])->to($user);
  
  // Allow multiple abilities:
  Bouncer::allow($user)->to(['access-dashboard', 'ban-users']);
  
  // Also works with model abilities:
  Bouncer::allow($user)->to(['edit', 'delete'], Post::class);
  Bouncer::allow($user)->to(['edit', 'delete'], $post);
  
  // And even with multiple models:
  Bouncer::allow($user)->to('delete', [Post::class, Category::class]);
  Bouncer::allow($user)->to(['edit', 'delete'], [Post::class, Category::class]);
  
  // Go crazy and pass it an associative array with whatever you want:
  Bouncer::allow($user)->to([
      'create' => Post::class,
      'view'   => User::class,
      'edit'   => $user,
  ]);
  

• Added a whereIsNot scope to the hasRoles trait.

Breaking Changes

• Removed the isNot method from the HasRoles trait. Use isNotA and isNotAn instead.

New

• Support for Laravel 5.3

• Support for PHP 7.1

• Added can, cannot and cant methods on roles, to check abilities directly on a role. https://github.com/JosephSilber/bouncer/commit/d1b11870117deb0579c92868752444d7ded48d30

• New IsRole and IsAbility traits, so that custom models don't have to extend Bouncer's models. https://github.com/JosephSilber/bouncer/commit/151094d8be4e7950b427efb6b78b2113a4712064

• New define method on the Bouncer class, to allow defining callbacks on the gate. https://github.com/JosephSilber/bouncer/commit/9f7d0c3e2a7ef16f8533469cd2a0470f1c8504f1

• Roles and Abilities now have a title column, to optionally add a display name. https://github.com/JosephSilber/bouncer/commit/558f69321a3b6a9b1285732077846243a2a0c504

  Usage:

  // Creating a role with a title
  
  $role = Bouncer::role()->create([
      'name' => 'site-admin',
      'title' => 'Site Administrator',
  ]);
  
  Bouncer::allow($role)->to('delete', Post::class);
  
  // Creating an ability with a title
  
  $ability = Bouncer::ability()->create([
      'name' => 'ban-users',
      'title' => 'Ban users',
  ]);
  
  Bouncer::allow($user)->to($ability);
  
  // Creating an ability for a model with a title
  
  $ability = Bouncer::ability()->createForModel(Post::class, [
      'name' => 'edit',
      'title' => 'Edit posts',
  ]);
  
  Bouncer::allow($user)->to($ability);
  

Breaking Changes

• Removed the Authorize middleware and AuthorizesResources trait, since they'e been merged directly into Laravel https://github.com/JosephSilber/bouncer/commit/0c2ceaa6e8915699de8cc29e92d30d7a50a0efaf

• Renamed $user->is($role) to $user->isAn($role) and $user->isA($role), for compatibility with Laravel 5.3. https://github.com/JosephSilber/bouncer/commit/145bf653015ce6ba1a9c42999805158ef7c4cc40

• There are also some schema changes, to prepare for upcoming features. The goal is to not need any more schema changes from this point till the launch of 1.0 (we'll see).

  If you're upgrading from 0.x to alpha 2, follow the upgrade guide in the docs.

  If you're upgrading from alpha 1 to alpha 2, run this migration:

  Schema::table('abilities', function (Blueprint $table) {
      $table->string('name', 150)->change();
      $table->string('entity_type', 150)->nullable()->change();
  
      $table->string('title')->nullable()->after('name');
      $table->boolean('only_owned')->default(false)->after('entity_type');
  
      $table->dropUnique('abilities_name_entity_id_entity_type_unique');
      $table->unique(['name', 'entity_id', 'entity_type', 'only_owned']);
  });
  
  Schema::table('roles', function (Blueprint $table) {
      $table->string('title')->nullable()->after('name');
      $table->integer('level')->unsigned()->nullable()->after('name');
  });
  

New

• Polymorphic structure: Bouncer now uses a new polymorphic database schema, so that you can attach roles and abilities to any model (see here how to upgrade your schema).

• Wildcard abilities: you can now use wildcards to allow a wide spread of abilities:

  Bouncer::allow($user)->to('edit', '*');
  
  Bouncer::allows('edit', $post) == true;
  

  For more information on wildcards, see this discussion: #56

• whereAssignedTo query scope: Role::whereAssignedTo($users) will return all roles assigned to those users.

• whereCannot query scope: User::whereCannot('edit', Post::class) will return all users that can't edit posts.

Pending

The following is what's holding up the 1.0 stable release:

• Wildcards in scopes: currently, not all query scopes handle wildcards properly. We need full wildcard support in all query scopes before 1.0 can be released.
• Wildcard aliases: we need proper alias methods for most of the wildcard operations. See this discussion for more information.
• Documentation: there are still a lot of things missing from the documentation. I want to properly flesh it out before the 1.0 release.

• Fix for Laravel 5.1, where the third argument to the gate's before callback may be missing.
• Added --prefer-lowest to the Travis matrix to catch these incompatibilities in the future.

Fix regression for Laravel 5.1, where the arguments were passed in separately.

• You can now call Bouncer::exclusive() to have Bouncer deny any abilities that have not been granted via Bouncer. This will cause the Gate to skip any abilities that you have defined in your code.
• You can now set your own custom table names:

Bouncer::tables([
    'abilities' => 'my_abilities',
    'roles'     => 'my_roles',
]);

• Adapts Bouncer to the changed arguments-passing introduced in Laravel's gate.

• Use composite primary key on pivot tables.
• Use explicit indexes for pivot tables.
• Support custom primary keys on the users table.

Support for Laravel 5.2

You can now scope user queries by whether they have a particular ability:

$users = User::whereCan('view-dashboard')->get();
$users = User::whereCan('delete', $post)->get();
$users = User::whereCan('delete', Post::class)->get();

You can also directly query roles that have specific abilities:

$roles = Bouncer::role()->whereCan('view-dashboard')->get();
$roles = Bouncer::role()->whereCan('delete', $post)->get();
$roles = Bouncer::role()->whereCan('delete', Post::class)->get();

Finally, you can query users on whether they have a specific role:

$users = User::whereIs('admin')->get();
$users = User::whereIs('admin', 'moderator')->get();
$users = User::whereIsAll('reader', 'contributor')->get();