Use this file to discover all available pages before exploring further.
PatoLab uses a flat role-based access control (RBAC) system: every user belongs to exactly one role, and each role carries a set of permissions that gate individual UI routes and controller actions. Permissions follow a consistent resource.action naming convention (e.g., specimens.view, invoices.manage) and are enforced server-side via Laravel’s Gate::authorize() calls — bypassing the UI does not bypass the guard.
Role ──────────< role_permission >────────── Permission │ (many-to-many pivot) │ └── has many ──► User (role_id FK)
Model
Key fields
Relationships
Role
name, slug
belongsToMany(Permission), hasMany(User)
Permission
name, slug
belongsToMany(Role)
User
name, email, role_id, active, user_signature
belongsTo(Role)
A user’s effective permissions are the union of all permissions attached to
their role. There is no per-user permission override — change a user’s role to
change their access level.
Three roles are seeded automatically by RolesSeeder (which calls
PermissionsSeeder and MorePermissionsSeeder internally). Run the seeder
to bootstrap a fresh installation:
php artisan db:seed --class=RolesSeeder
Administrador (slug: admin)
Receives all permissions in the system. The seeder calls
$admin->permissions()->sync($allPermissions->pluck('id')), so any new
permission added by a future migration is automatically available to admins
after re-running the seeder.
Patólogo (slug: pathologist)
Full access to specimens, patients, and inventory management. Read-only access
to the user list. Does not have access to roles, CAI ranges, invoices,
sequences, or system settings.Included permissions:
Scoped to work-order management only. Intended for lab technicians who
execute the physical processing steps assigned to them by pathologists.Included permissions:
Navigate to /roles to access the full roles CRUD interface.
The required permission is roles.view (to view) and roles.create/roles.edit
to make changes.From the roles page you can:
Create a new role with a unique name and slug
Attach or detach permissions using the permission matrix
Delete roles that are no longer needed (users assigned to a deleted role lose all permissions)
The admin role is created by the seeder with slug: admin. You can rename
it via the UI, but avoid changing its slug if any code references it
directly.
Navigate to /users to create, edit, deactivate, or delete user accounts.
When creating or editing a user, select their Role from the dropdown — this
is a required field.Key user fields:
Field
Notes
name
Display name shown throughout the platform
email
Login credential; must be unique
password
Hashed with bcrypt (rounds controlled by BCRYPT_ROUNDS)
role_id
Foreign key to the roles table
active
Boolean flag; inactive users cannot log in
user_signature
Image upload used when signing PDF reports (pathologists)
PatoLab uses Laravel Fortify for authentication with full
two-factor authentication (2FA) support via the TwoFactorAuthenticatable
trait. Users can enroll their own TOTP device from the profile / security
settings page. The 2FA secret is stored in two_factor_secret (hidden from
API responses) and the two_factor_confirmed_at timestamp records when 2FA
was confirmed.
If you add new permissions to the codebase (e.g., for a new feature module),
run the seeders again to upsert them into the database without destroying
existing role assignments:
Both seeders use updateOrCreate keyed on the slug column, so running them
on an existing database is safe — existing permissions are updated in place and
no duplicates are created. After running, go to /roles and attach the
new permissions to the appropriate roles.
To fully reset roles and re-sync all permissions (destructive to custom role
assignments):
PatoLab includes a lightweight commission module for tracking pathologist
earnings:
/user-commission-rules — Define percentage or flat-rate commission
rules per user (pathologist). Requires user_commission_rules.* permissions.
/user-commissions — View and reconcile generated commission records.
Supports update and delete operations. Requires no special create permission
(commissions are generated automatically when specimens are invoiced).
These routes are only meaningful for users with the pathologist role or
equivalent; the Técnico Patólogo role has no commission permissions by default.