{"id":266,"date":"2025-08-27T17:43:20","date_gmt":"2025-08-27T17:43:20","guid":{"rendered":"https:\/\/1v0.net\/blog\/?p=266"},"modified":"2025-08-27T17:43:23","modified_gmt":"2025-08-27T17:43:23","slug":"how-to-give-and-revoke-permissions-to-users-in-laravel","status":"publish","type":"post","link":"https:\/\/1v0.net\/blog\/how-to-give-and-revoke-permissions-to-users-in-laravel\/","title":{"rendered":"How to Give and Revoke Permissions to Users in Laravel"},"content":{"rendered":"\n

In a real-world Laravel app, you won\u2019t always grant access through roles alone. Sometimes a user needs a specific permission<\/strong> (e.g., \u201cpublish posts\u201d) without changing their whole role. In Laravel 12<\/strong> with Spatie Permissions<\/strong>, you can give and revoke permissions directly to users, inherit them via roles, and manage everything from a simple admin UI.<\/p>\n\n\n\n

In this guide, you\u2019ll learn how to grant and revoke permissions<\/strong> in multiple ways: via code, via roles, and from a user-friendly admin interface. We\u2019ll also cover best practices, caching, and how to confirm permissions at runtime.<\/p>\n\n\n\n

<\/div>\n\n\n\n

1 – Prerequisites<\/strong><\/h2>\n\n\n\n

Make sure you\u2019ve installed Spatie Laravel Permission<\/a>, run its migrations, and added the HasRoles<\/code> trait to your User<\/code> model. If you\u2019re building a multi-tenant app, enable teams first so permissions are scoped per team.<\/p>\n\n\n\n

If you need a quick seed for demo permissions:<\/p>\n\n\n

\/\/ database\/seeders\/PermissionsSeeder.php<\/span>\nuse<\/span> Illuminate<\/span>\\Database<\/span>\\Seeder<\/span>;\nuse<\/span> Spatie<\/span>\\Permission<\/span>\\Models<\/span>\\Permission<\/span>;\n\nclass<\/span> PermissionsSeeder<\/span> extends<\/span> Seeder<\/span> <\/span>{\n    public<\/span> function<\/span> run<\/span>()<\/span>: void<\/span> <\/span>{\n        foreach<\/span> (['create posts'<\/span>,'edit posts'<\/span>,'publish posts'<\/span>,'delete posts'<\/span>] as<\/span> $name) {\n            Permission::firstOrCreate(['name'<\/span> => $name]);\n        }\n    }\n}<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
Run with: php artisan db:seed --class=PermissionsSeeder<\/code><\/p>\n\n\n\n
<\/div>\n\n\n\n
2 – Granting & Revoking Permissions in Code<\/strong><\/h2>\n\n\n\n
You can assign permissions directly<\/em> to a user, or let users inherit permissions via roles<\/strong>. Direct assignment is useful for one-off exceptions; roles are best for groups of users.<\/p>\n\n\n
\/\/ 2.1 \u2014 grant a permission directly<\/span>\n$user->givePermissionTo('publish posts'<\/span>);\n\n\/\/ 2.2 \u2014 revoke a direct permission<\/span>\n$user->revokePermissionTo('publish posts'<\/span>);\n\n\/\/ 2.3 \u2014 check permission<\/span>\nif<\/span> ($user->can('publish posts'<\/span>)) {\n    \/\/ allowed<\/span>\n}\n\n\/\/ 2.4 \u2014 via roles<\/span>\n$role = \\Spatie\\Permission\\Models\\Role::firstOrCreate(['name'<\/span> => 'editor'<\/span>]);\n$role->givePermissionTo(['create posts'<\/span>,'edit posts'<\/span>,'publish posts'<\/span>]);\n$user->assignRole('editor'<\/span>); \/\/ user now inherits all role permissions<\/span><\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
Notes:<\/strong> givePermissionTo<\/code> and revokePermissionTo<\/code> affect only the user\u2019s direct<\/em> permissions. If a permission still appears, it may be inherited from a role. Use syncPermissions([...])<\/code> to replace all direct permissions in one go.<\/p>\n\n\n\n
Teams:<\/strong> If you\u2019ve enabled teams in Spatie, always pass the team context:<\/p>\n\n\n
$team = Team::find(1<\/span>);\n\n$user->givePermissionTo('publish posts'<\/span>, $team);\n$user->revokePermissionTo('publish posts'<\/span>, $team);\n\nif<\/span> ($user->can('publish posts'<\/span>, $team)) {\n    \/\/ allowed only within this team<\/span>\n}<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
<\/div>\n\n\n\n
3 – Route & Controller Protection (Using Permissions)<\/strong><\/h2>\n\n\n\n
Use Spatie\u2019s permission:<name><\/code> middleware to protect routes. You can combine it with auth<\/code> and roles as needed.<\/p>\n\n\n
\/\/ routes\/web.php<\/span>\n\nuse<\/span> App<\/span>\\Http<\/span>\\Controllers<\/span>\\PostPublishController<\/span>;\n\nRoute::middleware(['auth'<\/span>,'permission:publish posts'<\/span>])->group(function<\/span> ()<\/span> <\/span>{\n    Route::post('\/posts\/{post}\/publish'<\/span>, PostPublishController::class)->name('posts.publish'<\/span>);\n});<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
In controllers, you can add additional checks ($this->authorize()<\/code> for policies, or Gate::allows()<\/code>) if needed. With Laravel 12\u2019s HasMiddleware<\/code> approach, you can even declare the permission at the controller level (static method).<\/p>\n\n\n
\/\/ app\/Http\/Controllers\/PostPublishController.php<\/span>\nnamespace<\/span> App<\/span>\\Http<\/span>\\Controllers<\/span>;\n\nuse<\/span> Illuminate<\/span>\\Http<\/span>\\Request<\/span>;\nuse<\/span> Illuminate<\/span>\\Routing<\/span>\\Controllers<\/span>\\HasMiddleware<\/span>;\nuse<\/span> Illuminate<\/span>\\Routing<\/span>\\Controllers<\/span>\\Middleware<\/span>;\n\nclass<\/span> PostPublishController<\/span> extends<\/span> Controller<\/span> implements<\/span> HasMiddleware<\/span>\n<\/span>{\n    public<\/span> static<\/span> function<\/span> middleware<\/span>()<\/span>: array<\/span>\n    <\/span>{\n        return<\/span> [\n            new<\/span> Middleware('auth'<\/span>),\n            new<\/span> Middleware('permission:publish posts'<\/span>),\n        ];\n    }\n\n    public<\/span> function<\/span> __invoke<\/span>(Request $request)<\/span>\n    <\/span>{\n        \/\/ publish logic...<\/span>\n        return<\/span> back()->with('status'<\/span>,'Post published'<\/span>);\n    }\n}<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
With teams enabled, prefer a team-aware approach (e.g., custom middleware that checks $user->can('publish posts', $team)<\/code> using the route\u2019s team parameter).<\/p>\n\n\n\n
<\/div>\n\n\n\n
4 – Building a Permissions Management UI<\/strong><\/h2>\n\n\n\n
Let\u2019s build an admin interface to give and revoke user permissions without writing code. We\u2019ll create routes, a controller, and a Blade view with checkboxes. This UI complements a roles UI (often both are needed).<\/p>\n\n\n
\/\/ routes\/web.php<\/span>\nuse<\/span> App<\/span>\\Http<\/span>\\Controllers<\/span>\\Admin<\/span>\\UserPermissionController<\/span>;\n\nRoute::middleware(['auth'<\/span>,'role:admin'<\/span>])->group(function<\/span> ()<\/span> <\/span>{\n    Route::get('\/admin\/users\/{user}\/permissions'<\/span>, [UserPermissionController::class, 'edit'<\/span>])->name('admin.users.permissions.edit'<\/span>);\n    Route::put('\/admin\/users\/{user}\/permissions'<\/span>, [UserPermissionController::class, 'update'<\/span>])->name('admin.users.permissions.update'<\/span>);\n});<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
Controller:<\/p>\n\n\n
\/\/ app\/Http\/Controllers\/Admin\/UserPermissionController.php<\/span>\nnamespace<\/span> App<\/span>\\Http<\/span>\\Controllers<\/span>\\Admin<\/span>;\n\nuse<\/span> App<\/span>\\Http<\/span>\\Controllers<\/span>\\Controller<\/span>;\nuse<\/span> App<\/span>\\Models<\/span>\\User<\/span>;\nuse<\/span> Illuminate<\/span>\\Http<\/span>\\Request<\/span>;\nuse<\/span> Spatie<\/span>\\Permission<\/span>\\Models<\/span>\\Permission<\/span>;\n\nclass<\/span> UserPermissionController<\/span> extends<\/span> Controller<\/span>\n<\/span>{\n    public<\/span> function<\/span> edit<\/span>(User $user)<\/span>\n    <\/span>{\n        $permissions = Permission::orderBy('name'<\/span>)->get();\n        $direct = $user->permissions->pluck('name'<\/span>)->toArray(); \/\/ direct only<\/span>\n        $viaRoles = $user->getPermissionsViaRoles()->pluck('name'<\/span>)->toArray();\n\n        return<\/span> view('admin.users.permissions'<\/span>, compact('user'<\/span>,'permissions'<\/span>,'direct'<\/span>,'viaRoles'<\/span>));\n    }\n\n    public<\/span> function<\/span> update<\/span>(Request $request, User $user)<\/span>\n    <\/span>{\n        $selected = $request->input('permissions'<\/span>, []); \/\/ array of names<\/span>\n\n        \/\/ Replace all direct permissions with the submitted set<\/span>\n        $user->syncPermissions($selected);\n\n        \/\/ Clear permission cache to reflect changes immediately<\/span>\n        app()->make(\\Spatie\\Permission\\PermissionRegistrar::class)->forgetCachedPermissions();\n\n        return<\/span> back()->with('status'<\/span>,'Permissions updated.'<\/span>);\n    }\n}<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
Blade view (resources\/views\/admin\/users\/permissions.blade.php<\/code>):<\/p>\n\n\n
@extends('layouts.app'<\/span>)\n\n@section('content'<\/span>)\n<div class<\/span><\/span>=\"container\"<\/span>>\n  <h2<\/span> class<\/span>=\"mb-3\"<\/span>><\/span>Manage Permissions for {{ $user->name }}<\/h2<\/span>><\/span><\/span>\n\n  <div<\/span> class<\/span>=\"alert alert-info\"<\/span>><\/span>\n    <strong<\/span>><\/span>Note:<\/strong<\/span>><\/span> Permissions shown with a lock (\ud83d\udd12) are inherited via roles. You can only change direct permissions here.\n  <\/div<\/span>><\/span><\/span>\n\n  <form<\/span> method<\/span>=\"POST\"<\/span> action<\/span>=\"{{ route('admin.users.permissions.update', $user) }}\"<\/span>><\/span>\n    @csrf\n    @method('PUT')\n\n    <div<\/span> class<\/span>=\"row\"<\/span>><\/span>\n      @foreach($permissions as $perm)\n        @php\n          $isDirect = in_array($perm->name, $direct);\n          $isViaRole = in_array($perm->name, $viaRoles);\n        @endphp\n\n        <div<\/span> class<\/span>=\"col-md-4 mb-2\"<\/span>><\/span>\n          <div<\/span> class<\/span>=\"form-check\"<\/span>><\/span>\n            <input<\/span> class<\/span>=\"form-check-input\"<\/span>\n                   type<\/span>=\"checkbox\"<\/span>\n                   name<\/span>=\"permissions[]\"<\/span>\n                   value<\/span>=\"{{ $perm->name }}\"<\/span>\n                   id<\/span>=\"perm_{{ $perm->id }}\"<\/span>\n                   {{ $isDirect<\/span> ? 'checked<\/span>' :<\/span> '' }}\n                   {{ $isViaRole<\/span> ? 'disabled<\/span>' :<\/span> '' }}><\/span>\n\n            <label<\/span> class<\/span>=\"form-check-label\"<\/span> for<\/span>=\"perm_{{ $perm->id }}\"<\/span>><\/span>\n              {{ $perm->name }} {!! $isViaRole ? '\ud83d\udd12' : '' !!}\n            <\/label<\/span>><\/span>\n          <\/div<\/span>><\/span>\n        <\/div<\/span>><\/span>\n      @endforeach\n    <\/div<\/span>><\/span>\n\n    <button<\/span> type<\/span>=\"submit\"<\/span> class<\/span>=\"btn btn-primary mt-3\"<\/span>><\/span>Save<\/button<\/span>><\/span>\n  <\/form<\/span>><\/span>\n<\/div<\/span>><\/span><\/span>\n@endsection<\/code><\/span>Code language:<\/span> JavaScript<\/span> (<\/span>javascript<\/span>)<\/span><\/small><\/pre>\n\n\n
This screen distinguishes between direct permissions<\/strong> (checkboxes you can toggle) and role-inherited permissions<\/strong> (locked). That way, admins don\u2019t accidentally remove permissions that come from roles.<\/p>\n\n\n\n
Teams:<\/strong> When teams are enabled, pass the team explicitly (hidden input or resolved from the route) and use $user->syncPermissions($selected, $team)<\/code>, $user->permissions($team)<\/code>, etc., to scope everything per team.<\/p>\n\n\n\n
<\/div>\n\n\n\n
5 – Common Gotchas & Troubleshooting<\/strong><\/h2>\n\n\n\n