MoonShine handles authorization and access control through a built-in authentication system and can be extended with role-based access controls and permission management systems. The framework provides a default authentication mechanism while allowing customization and integration with established Laravel packages such as Spatie's Laravel Permissions for fine-grained access control.
Built-in Authentication System
MoonShine comes with a built-in authentication system that uses its own user model and guard by default to manage admin panel access. This system is enabled by default and allows developers to quickly set up secure access without separate authentication configuration. The core settings for authentication, such as enabling/disabling authentication, configuring the guard, specifying the user model, middleware, and authentication pipelines, are located in the `config/moonshine.php` file under the `auth` section.
Typical configuration includes:
- enabled: Whether authentication is active.
- guard: The name of the authentication guard (default is 'moonshine').
- model: The user model class to use for authentication (default is `MoonshineUser`).
- middleware: Middleware class used for enforcing authentication.
- pipelines: Additional processing steps for authentication.
Developers can adjust this configuration to integrate with their own user models or middleware layers to customize access control flows.
Role-Based Access Control (RBAC)
MoonShine supports role-based access control by allowing the use of middleware to restrict admin panel access based on user roles or other conditions. This functionality enables developers to create custom middleware that implements access policies such as allowing only users with the "admin" role to proceed.
For example, a middleware class, `CheckAdminRole`, might look like this:
php
namespace App\Http\Middleware;
use Closure;
use Illuminate\Http\Request;
use Symfony\Component\HttpFoundation\Response;
class CheckAdminRole
{
public function handle(Request $request, Closure $next): Response
{
if ($request->user() && ! $request->user()->hasRole('admin')) {
abort(403, 'Access denied.');
}
return $next($request);
}
}
This middleware checks if the authenticated user possesses the required role and denies access if not. To enforce this role check, the middleware needs to be registered in MoonShine's middleware configuration array.
Through this approach, MoonShine encourages a modular way of enforcing authorization rules by leveraging Laravel's middleware architecture.
Integration with Spatie Laravel Permissions Package
For more advanced and granular access control, MoonShine can be extended using a dedicated package called "moonshine-roles-permissions," which builds on the popular Spatie Laravel Permissions package. This package enhances the admin panel's authorization capabilities by providing a full role-permission management system.
Key features of this integration include:
- Managing roles and permissions with a clear mapping between them.
- Assigning multiple permissions to roles.
- Bulk role assignment to multiple users.
- Seamless use of Spatie's API for checking roles and permissions on users.
- Using a different user model (e.g., the default Laravel User model) instead of Moonshine's own user model to leverage the package functionality fully.
To use it, developers first install the package via Composer and adjust the MoonShine configuration to use their custom user models and roles. The role model should extend Spatie's Role model to integrate properly.
Example usage involves creating users, roles, and permissions and assigning permission checks within resources or menus:
php
protected function menu(): array
{
return [
MenuItem::make('Posts', PostResource::class)
->canSee(fn () => auth()->user()->isHavePermission(PostResource::class, Ability::VIEW)),
];
}
Here, menu visibility is controlled by checking the user's permissions defined in the Spatie system, which can distinguish multiple abilities like view, edit, delete, etc.
Permissions Trait and Custom User Models
MoonShine also provides traits to extend user models for permission handling. The `HasMoonShinePermissions` trait can be added to the user model to integrate MoonShine's permission handling features, while `WithPermissions` can be added to resource classes to enable permission-aware resource management.
This allows for fine-grained access control on both user and resource levels, leveraging permission checks consistently across the admin interface.
Middleware and Authorization Gates
Authorization also integrates with Laravel's Gate system, enabling the definition of authorization logic via gates for permissions:
php
use Illuminate\Support\Facades\Gate;
Gate::define('edit-posts', function ($user) {
return $user->hasPermissionTo('edit posts');
});
MoonShine can register multiple gates from its configuration, allowing dynamic permission checks anywhere in the app, controlling what actions users can perform.
Authentication and Access Control Summary
- MoonShine includes a default authentication system that can be customized or disabled.
- Access control can be enforced via middleware to restrict access by roles or other criteria.
- The moonshine-roles-permissions package adds role and permission management for advanced RBAC.
- Users and roles are flexible with support for custom user models.
- Permission traits allow seamless permission checks in resources and users.
- Authorization gates define fine-grained access policies.
- Menu items and resources visibility can be dynamically controlled based on permissions.