{"id":236,"date":"2025-08-27T14:12:00","date_gmt":"2025-08-27T14:12:00","guid":{"rendered":"https:\/\/1v0.net\/blog\/?p=236"},"modified":"2025-08-27T14:12:03","modified_gmt":"2025-08-27T14:12:03","slug":"how-to-manage-permissions-in-laravel-without-coding","status":"publish","type":"post","link":"https:\/\/1v0.net\/blog\/how-to-manage-permissions-in-laravel-without-coding\/","title":{"rendered":"How to Manage Permissions in Laravel Without Coding"},"content":{"rendered":"\n

Managing permissions directly in code works fine for developers, but in real projects, you\u2019ll often want non-developers (like team managers or admins)<\/strong> to control who can do what. Instead of hardcoding permissions, Laravel + Spatie Permissions lets you store them in the database and even manage them through a user-friendly interface.<\/p>\n\n\n\n

In this guide, we\u2019ll build a permissions management system in Laravel 12<\/strong> that doesn\u2019t require writing PHP code. Admins will be able to create new permissions, assign them to roles, and give or revoke permissions from users directly from the UI.<\/p>\n\n\n\n

<\/div>\n\n\n\n

1 – Prerequisites<\/strong><\/h2>\n\n\n\n

Before continuing, make sure you have followed our Spatie Permissions setup guide<\/a>. You should already have the required migrations, User<\/code> model updated with the HasRoles<\/code> trait, and some roles seeded.<\/p>\n\n\n\n

<\/div>\n\n\n\n

2 – Storing Permissions in the Database<\/strong><\/h2>\n\n\n\n

With Spatie, permissions are stored in the permissions<\/code> table. This means you don\u2019t need to update your codebase when you want to add new ones \u2014 you just insert rows into the table.<\/p>\n\n\n

INSERT INTO permissions (name, guard_name, created_at, updated_at)\nVALUES ('approve comments'<\/span>, 'web'<\/span>, NOW(), NOW());<\/code><\/span>Code language:<\/span> JavaScript<\/span> (<\/span>javascript<\/span>)<\/span><\/small><\/pre>\n\n\n
This creates a new permission named approve comments<\/code>. Once created, you can assign it to roles or users dynamically without modifying your PHP files.<\/p>\n\n\n\n
<\/div>\n\n\n\n
3 – Building a Permissions Management UI<\/strong><\/h2>\n\n\n\n
Let\u2019s create a simple UI where admins can add new permissions, assign them to roles, and manage them without coding.<\/p>\n\n\n
\/\/ routes\/web.php<\/span>\nuse<\/span> App<\/span>\\Http<\/span>\\Controllers<\/span>\\Admin<\/span>\\PermissionController<\/span>;\n\nRoute::middleware(['auth'<\/span>,'role:admin'<\/span>])->group(function<\/span> ()<\/span> <\/span>{\n    Route::resource('\/admin\/permissions'<\/span>, PermissionController::class);\n});<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
Generate the controller:<\/p>\n\n\n
php artisan make:controller Admin\/PermissionController --resource<\/code><\/span><\/pre>\n\n\n
Controller logic (app\/Http\/Controllers\/Admin\/PermissionController.php<\/code>):<\/p>\n\n\n
namespace<\/span> App<\/span>\\Http<\/span>\\Controllers<\/span>\\Admin<\/span>;\n\nuse<\/span> App<\/span>\\Http<\/span>\\Controllers<\/span>\\Controller<\/span>;\nuse<\/span> Illuminate<\/span>\\Http<\/span>\\Request<\/span>;\nuse<\/span> Spatie<\/span>\\Permission<\/span>\\Models<\/span>\\Permission<\/span>;\n\nclass<\/span> PermissionController<\/span> extends<\/span> Controller<\/span>\n<\/span>{\n    public<\/span> function<\/span> index<\/span>()<\/span>\n    <\/span>{\n        $permissions = Permission::all();\n        return<\/span> view('admin.permissions.index'<\/span>, compact('permissions'<\/span>));\n    }\n\n    public<\/span> function<\/span> create<\/span>()<\/span>\n    <\/span>{\n        return<\/span> view('admin.permissions.create'<\/span>);\n    }\n\n    public<\/span> function<\/span> store<\/span>(Request $request)<\/span>\n    <\/span>{\n        $request->validate([\n            'name'<\/span> => 'required|unique:permissions,name'<\/span>\n        ]);\n\n        Permission::create(['name'<\/span> => $request->name]);\n        return<\/span> redirect()->route('permissions.index'<\/span>)->with('status'<\/span>,'Permission created!'<\/span>);\n    }\n\n    public<\/span> function<\/span> edit<\/span>(Permission $permission)<\/span>\n    <\/span>{\n        return<\/span> view('admin.permissions.edit'<\/span>, compact('permission'<\/span>));\n    }\n\n    public<\/span> function<\/span> update<\/span>(Request $request, Permission $permission)<\/span>\n    <\/span>{\n        $request->validate([\n            'name'<\/span> => 'required|unique:permissions,name,'<\/span>.$permission->id\n        ]);\n\n        $permission->update(['name'<\/span> => $request->name]);\n        return<\/span> redirect()->route('permissions.index'<\/span>)->with('status'<\/span>,'Permission updated!'<\/span>);\n    }\n\n    public<\/span> function<\/span> destroy<\/span>(Permission $permission)<\/span>\n    <\/span>{\n        $permission->delete();\n        return<\/span> redirect()->route('permissions.index'<\/span>)->with('status'<\/span>,'Permission deleted!'<\/span>);\n    }\n}<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
Example Blade view (resources\/views\/admin\/permissions\/index.blade.php<\/code>):<\/p>\n\n\n
@extends('layouts.app')\n\n@section('content')\n<div<\/span> class<\/span>=\"container\"<\/span>><\/span>\n  <h2<\/span>><\/span>Permissions<\/h2<\/span>><\/span>\n  <a<\/span> href<\/span>=\"{{ route('permissions.create') }}\"<\/span> class<\/span>=\"btn btn-primary mb-3\"<\/span>><\/span>Add Permission<\/a<\/span>><\/span>\n\n  <table<\/span> class<\/span>=\"table table-bordered\"<\/span>><\/span>\n    <thead<\/span>><\/span>\n      <tr<\/span>><\/span><th<\/span>><\/span>Name<\/th<\/span>><\/span><th<\/span>><\/span>Actions<\/th<\/span>><\/span><\/tr<\/span>><\/span>\n    <\/thead<\/span>><\/span>\n    <tbody<\/span>><\/span>\n      @foreach($permissions as $permission)\n      <tr<\/span>><\/span>\n        <td<\/span>><\/span>{{ $permission->name }}<\/td<\/span>><\/span>\n        <td<\/span>><\/span>\n          <a<\/span> href<\/span>=\"{{ route('permissions.edit',$permission) }}\"<\/span> class<\/span>=\"btn btn-sm btn-outline-secondary\"<\/span>><\/span>Edit<\/a<\/span>><\/span>\n          <form<\/span> action<\/span>=\"{{ route('permissions.destroy',$permission) }}\"<\/span> method<\/span>=\"POST\"<\/span> style<\/span>=\"display:inline\"<\/span>><\/span>\n            @csrf\n            @method('DELETE')\n            <button<\/span> type<\/span>=\"submit\"<\/span> class<\/span>=\"btn btn-sm btn-outline-danger\"<\/span>><\/span>Delete<\/button<\/span>><\/span>\n          <\/form<\/span>><\/span>\n        <\/td<\/span>><\/span>\n      <\/tr<\/span>><\/span>\n      @endforeach\n    <\/tbody<\/span>><\/span>\n  <\/table<\/span>><\/span>\n<\/div<\/span>><\/span>\n@endsection<\/code><\/span>Code language:<\/span> HTML, XML<\/span> (<\/span>xml<\/span>)<\/span><\/small><\/pre>\n\n\n
This interface allows an admin to add, edit, and delete permissions directly in the browser \u2014 no code required.<\/p>\n\n\n\n
<\/div>\n\n\n\n
4 – Assign Permissions to Roles from the UI<\/strong><\/h2>\n\n\n\n
You can expand the UI to let admins attach permissions to roles. Example controller snippet:<\/p>\n\n\n
\/\/ In RoleController@edit<\/span>\n$permissions = Permission::all();\nreturn<\/span> view('admin.roles.edit'<\/span>, compact('role'<\/span>,'permissions'<\/span>));<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
Then in your view, simply render checkboxes for each permission, and use $role->syncPermissions($request->permissions)<\/code> in your controller to save updates.<\/p>\n\n\n\n
<\/div>\n\n\n\n
5 – Enforcing Permissions on Controllers (Without Coding)<\/strong><\/h2>\n\n\n\n
Creating permissions is only half the story \u2014 we must apply them to specific pages or actions. To keep this \u201cno-code\u201d, we\u2019ll store permission-to-route mappings in the database and enforce them with a middleware.<\/p>\n\n\n\n
First, create a migration for a new table to store route-permission pairs:<\/p>\n\n\n
php<\/span> artisan<\/span> make<\/span>:migration<\/span> create_route_permissions_table<\/span><\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n
\/\/ database\/migrations\/xxxx_xx_xx_create_route_permissions_table.php<\/span>\nuse<\/span> Illuminate<\/span>\\Database<\/span>\\Migrations<\/span>\\Migration<\/span>;\nuse<\/span> Illuminate<\/span>\\Database<\/span>\\Schema<\/span>\\Blueprint<\/span>;\nuse<\/span> Illuminate<\/span>\\Support<\/span>\\Facades<\/span>\\Schema<\/span>;\n\nreturn<\/span> new<\/span> class<\/span> extends<\/span> Migration<\/span> <\/span>{\n    public<\/span> function<\/span> up<\/span>()<\/span>: void<\/span> <\/span>{\n        Schema::create('route_permissions'<\/span>, function<\/span> (Blueprint $table)<\/span> <\/span>{\n            $table->id();\n            $table->string('route_name'<\/span>);\n            $table->string('permission_name'<\/span>);\n            $table->timestamps();\n        });\n    }\n\n    public<\/span> function<\/span> down<\/span>()<\/span>: void<\/span> <\/span>{\n        Schema::dropIfExists('route_permissions'<\/span>);\n    }\n};<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
This table will store which permission is required for which named route.<\/p>\n\n\n\n
<\/div>\n\n\n\n
6 – Create a Middleware to Enforce DB Permissions<\/strong><\/h2>\n\n\n\n
Next, build a middleware that checks the current route against the database and ensures the logged-in user has the required permission.<\/p>\n\n\n
php<\/span> artisan<\/span> make<\/span>:middleware<\/span> DynamicPermissionMiddleware<\/span><\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n
\/\/ app\/Http\/Middleware\/DynamicPermissionMiddleware.php<\/span>\nnamespace<\/span> App<\/span>\\Http<\/span>\\Middleware<\/span>;\n\nuse<\/span> Closure<\/span>;\nuse<\/span> Illuminate<\/span>\\Http<\/span>\\Request<\/span>;\nuse<\/span> Illuminate<\/span>\\Support<\/span>\\Facades<\/span>\\Route<\/span>;\nuse<\/span> App<\/span>\\Models<\/span>\\RoutePermission<\/span>;\n\nclass<\/span> DynamicPermissionMiddleware<\/span>\n<\/span>{\n    public<\/span> function<\/span> handle<\/span>(Request $request, Closure $next)<\/span>\n    <\/span>{\n        $routeName = Route::currentRouteName();\n\n        $mapping = RoutePermission::where('route_name'<\/span>, $routeName)->first();\n\n        if<\/span> ($mapping && ! $request->user()?->can($mapping->permission_name)) {\n            abort(403<\/span>, 'You do not have permission to access this page.'<\/span>);\n        }\n\n        return<\/span> $next($request);\n    }\n}<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
Register this middleware in app\/Http\/Kernel.php<\/code> under $routeMiddleware<\/code> as 'dynamic.permission'<\/code>.<\/p>\n\n\n\n
Now, any route using this middleware will check its required permission dynamically from the database.<\/p>\n\n\n\n
<\/div>\n\n\n\n
7 – Admin UI to Map Routes to Permissions<\/strong><\/h2>\n\n\n\n
Finally, let\u2019s give admins the power to assign which permission protects which route \u2014 all from the UI.<\/p>\n\n\n
\/\/ routes\/web.php<\/span>\nuse<\/span> App<\/span>\\Http<\/span>\\Controllers<\/span>\\Admin<\/span>\\RoutePermissionController<\/span>;\n\nRoute::middleware(['auth'<\/span>,'role:admin'<\/span>])->group(function<\/span> ()<\/span> <\/span>{\n    Route::resource('\/admin\/route-permissions'<\/span>, RoutePermissionController::class);\n});<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
Controller (app\/Http\/Controllers\/Admin\/RoutePermissionController.php<\/code>):<\/p>\n\n\n
namespace<\/span> App<\/span>\\Http<\/span>\\Controllers<\/span>\\Admin<\/span>;\n\nuse<\/span> App<\/span>\\Http<\/span>\\Controllers<\/span>\\Controller<\/span>;\nuse<\/span> Illuminate<\/span>\\Http<\/span>\\Request<\/span>;\nuse<\/span> App<\/span>\\Models<\/span>\\RoutePermission<\/span>;\nuse<\/span> Spatie<\/span>\\Permission<\/span>\\Models<\/span>\\Permission<\/span>;\nuse<\/span> Illuminate<\/span>\\Support<\/span>\\Facades<\/span>\\Route<\/span>;\n\nclass<\/span> RoutePermissionController<\/span> extends<\/span> Controller<\/span>\n<\/span>{\n    public<\/span> function<\/span> index<\/span>()<\/span>\n    <\/span>{\n        $routes = collect(Route::getRoutes())->pluck('action.as'<\/span>)->filter();\n        $permissions = Permission::all();\n        $mappings = RoutePermission::all();\n\n        return<\/span> view('admin.route-permissions.index'<\/span>, compact('routes'<\/span>,'permissions'<\/span>,'mappings'<\/span>));\n    }\n\n    public<\/span> function<\/span> store<\/span>(Request $request)<\/span>\n    <\/span>{\n        RoutePermission::updateOrCreate(\n            ['route_name'<\/span> => $request->route_name],\n            ['permission_name'<\/span> => $request->permission_name]\n        );\n\n        return<\/span> redirect()->back()->with('status'<\/span>,'Mapping saved!'<\/span>);\n    }\n}<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
Blade view (resources\/views\/admin\/route-permissions\/index.blade.php<\/code>):<\/p>\n\n\n
@extends('layouts.app')\n\n@section('content')\n<div<\/span> class<\/span>=\"container\"<\/span>><\/span>\n  <h2<\/span>><\/span>Route-Permission Mappings<\/h2<\/span>><\/span>\n  <form<\/span> method<\/span>=\"POST\"<\/span> action<\/span>=\"{{ route('route-permissions.store') }}\"<\/span> class<\/span>=\"mb-4\"<\/span>><\/span>\n    @csrf\n    <div<\/span> class<\/span>=\"mb-3\"<\/span>><\/span>\n      <label<\/span>><\/span>Route<\/label<\/span>><\/span>\n      <select<\/span> name<\/span>=\"route_name\"<\/span> class<\/span>=\"form-select\"<\/span>><\/span>\n        @foreach($routes as $route)\n          <option<\/span> value<\/span>=\"{{ $route }}\"<\/span>><\/span>{{ $route }}<\/option<\/span>><\/span>\n        @endforeach\n      <\/select<\/span>><\/span>\n    <\/div<\/span>><\/span>\n\n    <div<\/span> class<\/span>=\"mb-3\"<\/span>><\/span>\n      <label<\/span>><\/span>Permission<\/label<\/span>><\/span>\n      <select<\/span> name<\/span>=\"permission_name\"<\/span> class<\/span>=\"form-select\"<\/span>><\/span>\n        @foreach($permissions as $permission)\n          <option<\/span> value<\/span>=\"{{ $permission->name }}\"<\/span>><\/span>{{ $permission->name }}<\/option<\/span>><\/span>\n        @endforeach\n      <\/select<\/span>><\/span>\n    <\/div<\/span>><\/span>\n\n    <button<\/span> type<\/span>=\"submit\"<\/span> class<\/span>=\"btn btn-primary\"<\/span>><\/span>Save Mapping<\/button<\/span>><\/span>\n  <\/form<\/span>><\/span>\n\n  <h3<\/span>><\/span>Existing Mappings<\/h3<\/span>><\/span>\n  <ul<\/span>><\/span>\n    @foreach($mappings as $map)\n      <li<\/span>><\/span>Route: {{ $map->route_name }} \u2192 Permission: {{ $map->permission_name }}<\/li<\/span>><\/span>\n    @endforeach\n  <\/ul<\/span>><\/span>\n<\/div<\/span>><\/span>\n@endsection<\/code><\/span>Code language:<\/span> HTML, XML<\/span> (<\/span>xml<\/span>)<\/span><\/small><\/pre>\n\n\n
Now, an admin can log into the UI, select a route (by name), and choose which permission is required. The middleware enforces it automatically \u2014 without writing any PHP code.<\/p>\n\n\n\n
<\/div>\n\n\n\n
Wrapping Up<\/h2>\n\n\n\n
We built a permissions management UI in Laravel 12<\/strong> that lets admins create, update, and delete permissions directly from the browser. By storing permissions in the database and exposing them via an admin panel, you empower non-developers to control application access without touching code. This makes your app far more flexible and team-friendly.<\/p>\n\n\n\n
<\/div>\n\n\n\n
What\u2019s Next<\/h2>\n\n\n\n