Permission module overview

• Terms and cases
• Admins vs. Super Admins
• Technical Implementation
  • Policies vs. Gates
  • Middlewares

Terms and cases

Permissions are the rules that define what actions a user can perform on the system. For permissions checks, the application uses few concepts:

• Role (see predefined list of Roles)
• Membership Plan (e.g. to check how many ongoing Course Enrollments a Member may have, see Membership module)
• Role in a Team (for Team Members, see Team module)
• Role in a LocalGroup (see LocalGroup module)

The central concept of the Permission System is Roles.

Roles are granted to Members. Each Member can have several Roles at the same time. You can attach the Role to the Member either from the Member page or from the corresponding Role’s page.

The mechanism for attaching Roles to Members is standard for our Admin Panel.

Admins vs. Super Admins

The central roles of the system are Admins and Super Admins. The first thing to note is that these are two different and independent roles. The Admin role grants access to the Admin Panel and all actions on the Member Area. The Super Admin role grants additional access to the most critical parts of the Admin Panel, so-called "Red Zone". Usually, each of the IxDF employees should have the Admin role, and some employees additionally should have the Super Admin role.

Technical Implementation

Access rules logic is implemented through the Laravel Authorization Policies. The Policy classes could be found in the app/{Module}/Policies directory. The directory structure is mirrored from the app/{Module}/Models directory.

Checks are implemented using the standard Laravel API:

• The $this->authorize(...) method calls in controllers;
• The @can(...) Blade constructions in views;
• The $member->can(...) method calls in rare some cases;

Policies vs. Gates

We use Policies: it perfectly correlates with our idea to split application into modules.

Middlewares

Access to the Admin Area is protected by special middlewares - AccessibleForAdmins and AccessibleForSuperAdmins. If you check the routes/web.admin.php file, you’ll find two groups of routes:

• routes available to Admins, which are protected by admin middleware;
• routes available only to Super Admins, which are protected by super_admin middleware;

The permissions for Admin members are implemented by using Intercepting Gate Check in the AuthServiceProvider class.