Checking Permissions

Laravel Permission provides multiple methods to check if a user has specific permissions or roles. These checks work seamlessly with both direct permissions and permissions inherited through roles.

Verify if a user has specific permissions.

hasPermissionTo()
checkPermissionTo()
can() - Laravel's Native

Check if a user has a specific permission:

$user = User::find(1);

// Check by permission name
if ($user->hasPermissionTo('edit articles')) {
    // User has the permission
}

// Check with specific guard
if ($user->hasPermissionTo('edit articles', 'api')) {
    // User has the permission on api guard
}

// Using Permission model
$permission = Permission::findByName('edit articles');
if ($user->hasPermissionTo($permission)) {
    // User has the permission
}

Throws PermissionDoesNotExist exception if the permission doesn’t exist in the database.

Safe version that doesn’t throw exceptions:

// Returns false if permission doesn't exist
if ($user->checkPermissionTo('edit articles')) {
    // User has the permission
}

// This won't throw an exception even if 'nonexistent' doesn't exist
if ($user->checkPermissionTo('nonexistent permission')) {
    // Will be false
}

Use checkPermissionTo() when you’re not sure if the permission exists.

Laravel’s built-in authorization method also works:

// Laravel automatically registers permissions with the Gate
if ($user->can('edit articles')) {
    // User can edit articles
}

// In controllers
$this->authorize('edit articles');

The package automatically registers all permissions with Laravel’s Gate system.

Checking Multiple Permissions

Check if a user has any or all of multiple permissions.

hasAnyPermission()
hasAllPermissions()
canAny() - Laravel Native

Check if user has at least one of the given permissions:

// Returns true if user has ANY of these permissions
if ($user->hasAnyPermission(['edit articles', 'delete articles'])) {
    // User can either edit OR delete articles
}

// Works with variable arguments
if ($user->hasAnyPermission('edit articles', 'delete articles')) {
    // Same as above
}

Check if user has all of the given permissions:

// Returns true only if user has ALL these permissions
if ($user->hasAllPermissions(['edit articles', 'publish articles'])) {
    // User can both edit AND publish articles
}

// Works with variable arguments
if ($user->hasAllPermissions('edit articles', 'publish articles')) {
    // Same as above
}

Laravel’s native method for checking multiple permissions:

// Check if user can perform any of these actions
if ($user->canAny(['edit articles', 'delete articles'])) {
    // User can edit OR delete
}

Checking Direct Permissions

Check only directly assigned permissions, ignoring role permissions.

// Check if user has direct permission (not via role)
if ($user->hasDirectPermission('edit articles')) {
    // User was directly given this permission
}

// Check multiple direct permissions (any)
if ($user->hasAnyDirectPermission('edit articles', 'delete articles')) {
    // User has at least one direct permission
}

// Check multiple direct permissions (all)
if ($user->hasAllDirectPermissions('edit articles', 'publish articles')) {
    // User has all these direct permissions
}

These methods check ONLY direct permissions and ignore permissions inherited through roles.

Checking Roles

Verify if a user has specific roles.

hasRole()
hasAnyRole()
hasAllRoles()
hasExactRoles()

Check if user has a specific role:

// Check single role (string)
if ($user->hasRole('writer')) {
    // User has the writer role
}

// Check with Role model
$role = Role::findByName('writer');
if ($user->hasRole($role)) {
    // User has the role
}

// Check multiple roles (returns true if user has ANY)
if ($user->hasRole(['writer', 'editor'])) {
    // User is either a writer OR editor
}

// Using pipe separator
if ($user->hasRole('writer|editor')) {
    // Same as array
}

Alias to hasRole() for checking multiple roles:

// More explicit method name
if ($user->hasAnyRole('writer', 'editor', 'admin')) {
    // User has at least one of these roles
}

if ($user->hasAnyRole(['writer', 'editor', 'admin'])) {
    // Same as above
}

Check if user has all specified roles:

// Returns true only if user has ALL roles
if ($user->hasAllRoles(['writer', 'reviewer'])) {
    // User is both a writer AND reviewer
}

// With specific guard
if ($user->hasAllRoles(['writer', 'reviewer'], 'api')) {
    // Check on specific guard
}

Check if user has exactly these roles (no more, no less):

// Returns true only if user has EXACTLY these roles
if ($user->hasExactRoles(['writer', 'reviewer'])) {
    // User has exactly these two roles, no others
}

// If user has ['writer', 'reviewer', 'editor'], this returns false
// If user has only ['writer'], this also returns false

Method Signatures

Key method signatures from the source code:

// Check if has permission (throws exception if not found)
public function hasPermissionTo(
    string|int|Permission|BackedEnum $permission, 
    ?string $guardName = null
): bool

// Safe check (returns false if not found)
public function checkPermissionTo(
    string|int|Permission|BackedEnum $permission, 
    ?string $guardName = null
): bool

// Check any permission
public function hasAnyPermission(
    string|int|array|Permission|Collection|BackedEnum ...$permissions
): bool

// Check all permissions
public function hasAllPermissions(
    string|int|array|Permission|Collection|BackedEnum ...$permissions
): bool

// Check direct permission
public function hasDirectPermission(
    string|int|Permission|BackedEnum $permission
): bool

Understanding Permission Checks

Permission checks follow this logic:

Direct Permissions First

Check if user has the permission assigned directly:

$hasDirectPermission = $user->hasDirectPermission('edit articles');

Then Via Roles

If not found directly, check if user has it through any role:

$hasViaRole = $user->hasPermissionViaRole($permission);

Combined Result

The permission is granted if found in either source:

// Internal logic of hasPermissionTo()
return $this->hasDirectPermission($permission) 
    || $this->hasPermissionViaRole($permission);

Using in Controllers

Common patterns for checking permissions in controllers:

Manual Checks
Using authorize()
Constructor Middleware

namespace App\Http\Controllers;

class ArticleController extends Controller
{
    public function edit(Article $article)
    {
        if (! auth()->user()->can('edit articles')) {
            abort(403);
        }

        return view('articles.edit', compact('article'));
    }
}

public function edit(Article $article)
{
    // Throws 403 if user doesn't have permission
    $this->authorize('edit articles');

    return view('articles.edit', compact('article'));
}

class ArticleController extends Controller
{
    public function __construct()
    {
        // Check permission for all methods
        $this->middleware('can:edit articles');

        // Check for specific methods
        $this->middleware('can:delete articles')->only('destroy');
    }
}

Wildcard Permissions

If wildcard permissions are enabled, you can use pattern matching:

// User has permission: 'articles.*'
$user->givePermissionTo('articles.*');

// These all return true:
$user->hasPermissionTo('articles.edit');
$user->hasPermissionTo('articles.delete');
$user->hasPermissionTo('articles.publish');

Wildcard permissions must be enabled in the config:

'enable_wildcard_permission' => true,