Research Laravel ACL Strategies

[a-drew]

Challenge

TLDR: Leverage open-source laravel packages to solve our user management stories.

We should take advantage of the strong open-source community around the laravel framework and look at how other developers typically solve user management requirements. There are a few popular packages but whatever we choose would need to match the following criterias:

• Works with laravel native authorization features (Gates / Policies via Middleware or Model)
• Supports laravel blade directives
• Relies on permissions first rather than checking against user roles
• Allows for arbitrary creation of permissions and roles
• Supports caching to avoid redundant database hits
• Is extensible (eventually needs to support LDAP users / groups)

Time box

This experiment is limited to 1 day

Findings

• spatie/laravel-permission - demo Top recommended package, closest to default laravel authorization usage. Comes with Roles and Permissions out of the box, supports caching and auto-registers permissions as laravel gates for ease of use. Usable via can / cannot blade directives as well as model policies & middleware. Without cache, 7 queries with cache 5.

• silvanite/brandenburg Permissions are defined in the codebase as gates and roles / users can be assigned these permissions at will. Only roles exist in the db so no caching mechanism, there will be at least 4 queries each check. Last updated in april, doesn't support laravel 8 yet but should work anyway. Gates are defined & mapped to permissions in AuthServiceProvider.

• santigarcor/laratrust - demo Similar to spatie's package, but comes with a few drawbacks and bonuses. Comes with a basic admin panel, an easy to use seeder and an optional teams feature. Allows to check for both permission and object ownership at the same time. Doesn't auto-register gates so model policy, middleware and blade directives have longer syntax. Caching is more efficient than spatie: without cache, 4 queries with cache 1.

Recommendations

Either laravel-permission or laratrust will do. Currently leaning towards laratrust based on the slightly better caching but if we want to have nicer support for laravel's built-in authorization tools (blade / policies / gates / etc.) then laravel-permission is better. Laratrust's team feature could play nicely with AD Groups but we can probably map it to role instead without too much of a hassle.

[a-drew]

@alexstojda @EvanDime any thoughts?

[a-drew]

Setting this spike to done. Given the requirements either of the two recommended packages will work well for us. Once we start coding we can decide which one to go with but if no one has any objections I'd like to go with laravel-permissions based on the better support of laravel authorization features like directives, middleware, gates and policies.