Laravel Rest API Passport Conceptual Question

Question

I have worked on some previous Laravel projects, which were using Laravel as front- and backend solution. Most of them were just as simple as 1 user has 1 or more roles on 1 a single site.

Currently I am conceptional stuck on implementing roles and permission, for Laravel as a Rest API. NB. The frontend is running React on a different server, outside of Laravel's public folders.

I have a single users table, and these users can be assigned to projects, hence they can create them themselves. Within a project a user can have a different role. An admin on project A, can be an editor on B, and a reader on C, and so on.

Most RBAC/passport/permission packages I find, can assign multiple roles to users, so e.g. an editor and a writer. How could I add this small layer of abstraction, to get the project level scoped (even when working via the Rest API)? I feel I am missing something obvious here?

Answer 1

Packages like Laratrust and Spatie Laravel Permission packages offer Team based RBAC which might be worth investigating.

Another option would be to prefix your roles and permissions (it might not be a requirement to prefix permissions - can_read might be the same for all projects) with the name of the project they are associated to (i.e. projectA_editor, projectB_admin, projectB_can_read, projectB_can_edit etc.). Then use some logic (middleware) to perform checks against a User, their access level and the endpoint they are attempting to access.

Alternatively, you could adapt an existing package and create the logic for managing the project based access control (models and migrations etc.) providing associations between a User, Project and their access rights.

From an ease of implementation and management (package updates for example) I would be inclined to use the prefix option.