Implementing RBAC & AUTH Role Permissions in Laravel: A Step‑by‑Step Guide

Role Permission Management Overview

Role permission management is a common system feature that typically includes user management, menu management, role management, and permission management. In the ThinkPHP framework, the official solutions are RBAC and AUTH.

RBAC in ThinkPHP

The RBAC approach designs five tables: user, permission, node, role, and user_role. The workflow is to create nodes (modules, controllers, methods), then create roles and assign permissions to those roles, create users and assign roles, and finally, upon user login, retrieve the user's roles and associated permissions to determine whether the requested module, controller, and method are permitted.

Because RBAC relies on role‑based checks, it provides relatively coarse-grained access control and cannot easily handle fine‑grained attribute‑based decisions.

AUTH in ThinkPHP

The AUTH approach introduces four tables: user, user_permission_group (equivalent to user_role), permission_group (equivalent to role), and permission_rule (equivalent to node). The steps are similar to RBAC: create permission rules, create permission groups and assign rules, create users and assign groups, and upon login, retrieve the user's permission group and its rules, then match user attributes against the rules to decide access.

Laravel Implementation

Laravel can also implement RBAC role permission management using the Laravel Permission package. Detailed steps are available in the referenced documentation:

http://laravelacademy.org/post/9389.html

The package, however, has limitations: it does not associate menu operations, and its permission checks are not linked to routes, reducing flexibility.

To address these issues, follow the ThinkPHP RBAC concept: when creating a permission, store the corresponding route (the parameter part of route()) in the permission's name field. After a user logs in, retrieve the user's roles and permissions, and verify whether the current route exists in the user's permission set. If it does, the user has access; otherwise, access is denied.

For menus, associate each menu item with a permission node. During menu rendering, display only those menus whose associated permissions are present in the user's permission set, hiding the rest.

With these adjustments, Laravel achieves a functional RBAC role management system. Implementing the AUTH approach follows the same principles and can be derived analogously.