A flexible ABAC implementation for Laravel 13+ with a developer-friendly permission management API.
composer require zennit/abacPublish config and run migrations:
php artisan vendor:publish --provider="zennit\ABAC\Providers\AbacServiceProvider"
php artisan migrate- Add the middleware to protected routes:
Route::middleware(['web', 'abac'])->group(function () {
Route::get('/posts/{post}', fn (Post $post) => $post);
});- Add a permission:
use zennit\ABAC\Facades\Abac;
Abac::addPermission('read', App\Models\Post::class, [
'role' => 'editor',
'resource.owner_id' => 123,
]);- Request is allowed when actor/resource attributes satisfy the grant constraints.
The package registers utility commands for consumer setup:
php artisan abac:publish
php artisan abac:publish-config
php artisan abac:publish-env
php artisan abac:scaffold --from-routesabac:publishruns config + env publishing in one command.abac:publish-configpublishesconfig/abac.php.abac:publish-envappends missing ABAC environment variables to a chosen env file.abac:scaffold --from-routesgenerates a starter policy JSON scaffold fromabac.middleware.resource_patterns.
Seed permissions from your consuming application's seeders instead of package-provided seeders:
<?php
namespace Database\Seeders;
use Illuminate\Database\Seeder;
use zennit\ABAC\Facades\Abac;
class AbacPermissionSeeder extends Seeder
{
public function run(): void
{
Abac::addPermission('read', App\Models\Post::class, [
'role' => 'editor',
'resource.owner_id' => '123',
]);
Abac::addPermission('update', App\Models\Post::class, [
'actor.role' => 'admin',
]);
}
}Then call your seeder from DatabaseSeeder as part of your normal app bootstrap.
Full docs: https://zennit-dev.github.io/abac/
Local docs index: docs/index.md
MIT License — see LICENSE.md