I need to build some type of privileges system where I can control who can perform what on my app. I have seen many ready packages online, but none that stood out where I can utilize it to handle my needs without hard coding my permissions/templates.
My thoughts are to create a Middleware that will do an authentication against the logged in use. If I have the following routes
Route::get('accounts', array(
'as' => 'accounts_index_path',
'uses' => 'AccountController@index')
);
Route::get('account/create', array(
'as' => 'account_create_path',
'uses' => 'AccountController@create')
);
Route::post('account/store', array(
'as' => 'account_store_path',
'uses' => 'AccountController@store')
);
Route::get('account/{account}', array(
'as' => 'account_show_path',
'uses' => 'AccountController@show')
)->where('account', '[0-9]+');
Route::get('account/{account}/edit', array(
'as' => 'account_edit_path',
'uses' => 'AccountController@edit')
)->where('account', '[0-9]+');
Route::put('account/{account}/update', array(
'as' => 'account_update_path',
'uses' => 'AccountController@update')
)->where('account', '[0-9]+');
Route::delete('account/{account}', array(
'as' => 'account_destroy_path',
'uses' => 'AccountController@destroy')
)->where('account', '[0-9]+');
In theory, I should be able to give a user access to the following route names "account_store_path", "'account_create_path", "accounts_index_path" ...
Perhaps, if I don't want a user to access a specific route then I will not give them permissions.
In theory this should work, but I want to have more robust system where I can give a user access to edit a record but not for all fields. For example I want a user with a "manager" role to be able to change the account name, account owner but I don't want a user with a "standard" role to edit these field but I want the standard user to be able to update the notes fields and other fields.
Just to be clear, I understand I will probably need to create a template with all the allowed permissions and then assign uses to the correct template.
I need help trying to design the best approach for such a privilege system when I have power over who can update what.
Question How can I allow/disallow a user to update some fields but not others?