Laravel Access Control List

The Laravel ACL package is open-sourced software and licensed under the terms of MIT license.This package allows you to manage user permissions and groups in a database.

Getting started


To get started with laravel-acl, use Composer to add the package to your project's dependencies:

    composer require mateusjunges/laravel-acl 

After installing the laravel-acl package, register the service provider in config/app.php configuration file:

    'providers' => [
Install using acl:install command

You can install this package by running the provided install command:

    php artisan acl:install
Step by step installation

All migrations required for this package are already included. If you need to customize the tables, you can publish the migrations with:

    php artisan vendor:publish --provider="Junges\ACL\ACLServiceProvider" --tag="acl-migrations" 

And set the config for custom_migrations to true, which is false by default.

    'custom_migrations' => true, 

After the migrations has been published you can create the tables on your database by running the migrations:

    php artisan migrate 

If you change the table names on migrations, please publish the config file and update the tables array. You can publish the config file with:

    php artisan vendor:publish --provider="Junges\ACL\ACLServiceProvider" --tag="acl-config"


First of all, use the UsersTrait.php on your User model:


namespace App;
use Laravel\Passport\HasApiTokens;
use Illuminate\Notifications\Notifiable;
use Illuminate\Contracts\Auth\MustVerifyEmail;
use Illuminate\Foundation\Auth\User as Authenticatable;
use Junges\ACL\Traits\UsersTrait;
class User extends Authenticatable
    use HasApiTokens, Notifiable,UsersTrait;


You can add permissions to a user using the function below, using as parameter permissions slugs, permissions ids or instance of permissions model. Beside that, you can also combine this 3 ways, using a permission id, one instance of permission model and a permission slug too. As for demo propose we assign user to a group and revoke group according to route call.


namespace App\Http\Controllers;
use Illuminate\Support\Facades\Auth;
use App\Http\Controllers\Controller;
use App\User;
use \Junges\ACL\Http\Models\Group;
use Illuminate\Support\Facades\DB;
use \Junges\ACL\Http\Models\Permission;
use Illuminate\Http\Request;

class AccessController extends Controller
    public function index(){

        // Breadcrumbs  
         $breadcrumbs = [
            ['link' => "modern", 'name' => "Home"], ['link' => "javascript:void(0)", 'name' => " Extra Components"], ['name' => "Access Controller"],
        //Pageheader set true for breadcrumbs
        $pageConfigs = ['pageHeader' => true];
            return view('pages.access-control',['pageConfigs'=>$pageConfigs,'breadcrumbs'=>$breadcrumbs]);
        public function roles($role){
                // check group is empty
                $group = DB::table('groups')->count();
                if($group == null){
                    //if group empty add two group and assign permission
                    $group = new Group;            
                    $group->name = "Admin";
                    $group->slug = "admin-user";
                    $group->description = "Monitor and manage everything";
                    $group = new Group;            
                    $group->name = "Editor";
                    $group->slug = "editor-user";
                    $group->description = "User can only edit post.";
            //    if 
                $user = Auth::user();
                $user->assignGroup('admin-user', 'editor-user');
                if($role === 'admin'){
            return redirect()->back();
        public function home(){
            return view('pages.dashboard-ecommerce');

If you want to use the middleware provided by this package ( PermissionMiddleware , GroupMiddleware , HierarchicalPermissions e PermissionOrGroupMiddleware ), you need to add them to the app/Http/Kernel.php file, inside the routeMiddleware array:

    protected $routeMiddleware = [
    'permissions' => \Junges\ACL\Middlewares\PermissionMiddleware::class,
    'groups' => \Junges\ACL\Middlewares\GroupMiddleware::class,
    'permissionOrGroup' => \Junges\ACL\Middlewares\PermissionOrGroupMiddleware::class,
    'hierarchical_permissions' => \Junges\ACL\Middlewares\HierarchicalPermissionsMiddleware::class

Then you can protect you routes using middleware rules:

    // acess controller
    Route::get('/access-control', 'AccessController@index');
    Route::get('/access-control/{roles}', 'AccessController@roles');
    Route::get('/modern-admin', 'AccessController@home')->middleware('permissions:approve-post');

Using artisan commands

You can create a group or a permission from a console with artisan commands:

    php artisan group:create name slug description
    php artisan permission:create name slug description

You'll need to create two permission using artisan commands. Run below command.

    php artisan permission:create edit edit-post description
    php artisan permission:create approve approve-post description 

We used wildcard route for assign and revoke groups to users.

    <div class="roles">
      <a href="access-control/admin" class="btn btn-primary mr-2">Admin<a>
      <a href="access-control/editor" class="btn btn-secondary">Editor<a>
Blade and permissions

To check for permissions with this package, you can still using laravel built in @can blade directive and can() method:

    <button class="btn btn-primary">Only Admin</button>