Lesson 42 • Advanced

RBAC & ACL Permissions 🔒

Implement role-based access control with role hierarchies, permission middleware, and database-backed authorization for PHP applications.

What You'll Learn in This Lesson

• Difference between RBAC and ACL approaches
• Define roles with permissions and inheritance hierarchies
• Build permission middleware for route protection
• Design the database schema for roles and permissions
• Check access with can() and requireAny() patterns

Note: PHP runs on a server. Our examples simulate PHP logic using JavaScript. To run real PHP, install PHP.

🎯 Real-World Analogy: RBAC is like a hotel key card system. Guests (viewers) can enter their room. Staff (editors) can enter service areas. Managers (admins) can enter every room. You don't program each door individually — you assign a role, and the role determines which doors open.

Role-Based Access Control

RBAC assigns permissions to roles (not directly to users), then assigns roles to users. Role hierarchies let admin inherit all editor and viewer permissions automatically. This scales to thousands of users — change a role's permissions once, and it applies to everyone with that role.

Try It: RBAC System

Define roles with inheritance, assign to users, and check access

Try it Yourself »

JavaScript

// Role-Based Access Control (RBAC) in PHP
console.log("=== RBAC vs ACL — What's the Difference? ===");
console.log();
console.log("  RBAC (Role-Based):");
console.log("    Users → Roles → Permissions");
console.log("    'Alice is an Editor, Editors can publish posts'");
console.log("    ✅ Simple, scalable, most common");
console.log();
console.log("  ACL (Access Control List):");
console.log("    Users → Specific Resource Permissions");
console.log("    'Alice can edit Post #42 specifically'");
...

Permission Middleware & Schema

Protect routes with middleware that checks permissions before the controller runs. If the user lacks the required permission, return 403 Forbidden. The database schema uses pivot tables (role_permissions, user_roles) for many-to-many relationships.

Try It: Permission Middleware

Protect routes with permission checks and see the database schema

Try it Yourself »

JavaScript

// Permission Middleware & Database Schema
console.log("=== Permission Middleware Pattern ===");
console.log();

class PermissionMiddleware {
  constructor(rbac) { this.rbac = rbac; }

  require(permission) {
    return (request) => {
      let userId = request.userId;
      let allowed = this.rbac.can(userId, permission);
      
      if (!allowed) {
        console.log("  🚫 403 Forbidden: " + request.method + " " + request.path);
        console.log("     User " + userId + " lacks permission:
...

⚠️ Common Mistakes

⚠️

Checking roles instead of permissions — Don't write if (user.role === 'admin'). Check if (user.can('users.delete')). This way, adding a new role doesn't require changing code.

⚠️

Client-side only authorization — Hiding a button doesn't prevent the action. Always enforce permissions on the server. The frontend is just UX polish.

💡

Pro Tip: Cache user permissions in the session after login. Query the database only once per session, not on every request.

📋 Quick Reference — Authorization

Pattern	Description
RBAC	Users → Roles → Permissions
ACL	Users → Specific resource permissions
Pivot Table	Many-to-many relationship table
Middleware	Pre-controller permission check
Gate/Policy	Laravel's authorization abstractions

🎉 Lesson Complete!

You can now build authorization systems! Next, learn to abstract file storage across local, S3, and cloud providers.