Tiered and limited permissions

[ChristianPavilonis]

Here's something I hacked on to extend this package for a subscription platform I built. We needed many different tiers of the same permissions, for example a monthly subscriber could download 5 videos per month and 10 for yearly.I extended the permission class and added a few columns to the permissions table.

Here's my migration:

 Schema::create($tableNames['permissions'], function (Blueprint $table) {
    $table->bigIncrements('id');
    $table->string('name');
    $table->string('guard_name');
    $table->unsignedInteger('limit')->nullable(); // new
    $table->unsignedInteger('tier')->nullable();  // new
    $table->timestamps();

    $table->unique(['name', 'tier','guard_name']);
});

My extended permission model:

class Permission extends \Spatie\Permission\Models\Permission
{
    public static function create(array $attributes = [])
    {
        $attributes['guard_name'] = $attributes['guard_name'] ?? Guard::getDefaultName(static::class);
        $attributes['tier']       = $attributes['tier'] ?? null;

        $permission = static::getPermission([
            'name'       => $attributes['name'],
            'tier'       => $attributes['tier'],
            'guard_name' => $attributes['guard_name'],
        ]);

        if ($permission) {
            throw PermissionAlreadyExists::create($attributes['name'], $attributes['guard_name']);
        }

        return static::query()->create($attributes);
    }
}

Previously you couldn't create two permissions with the same name, overriding the create() method allows for multiple permissions with the same name but with different tiers.

Finally I made a HasTieredPermissions trait for our user:

trait HasTieredPermissions
{
    use HasRoles;

    public function getPermissionLimit($permission, $guardName = null) : int
    {
        if (is_string($permission)) {
            $permission = $this->getHighestTier($permission);
        }

        if (is_int($permission)) {
            $permission = $this->getPermissionClass()->findById(
                $permission,
                $guardName ?? $this->getDefaultGuardName()
            );
        }

        return $permission?->limit ?? 0;
    }

    public function givePermissionWithTier($permission, $tier, $guard = null) : self
    {
        $permissionClass = $this->getPermissionClass();

        $permission = $permissionClass::where([
            'name' => $permission,
            'tier' => $tier,
        ])->first();

        return $this->givePermissionTo($permission);
    }

    public function getHighestTier(string $permission)
    {
        return $this->getPermissionClass()
                    ::where('name', $permission)
                    ->get()
                    ->reduce(function ($carry, Permission $permission) {
                        if ($this->hasPermissionTo($permission) && $permission->tier > $carry?->tier) {
                            return $permission;
                        }
                        return $carry;
                    });
    }

    public function hasPermissionTo($permission, $guardName = null) : bool
    {
        if (config('permission.enable_wildcard_permission', false)) {
            return $this->hasWildcardPermission($permission, $guardName);
        }

        $permissionClass = $this->getPermissionClass();

        if (is_string($permission)) {
            $permissions = $this->getPermissionClass()::getPermissions(['name' => $permission]);

            return $permissions->reduce(
                      fn(bool $carry, PermissionContract $p) => $carry || $this->hasDirectPermission($p) || $this->hasPermissionViaRole($p), 
                      false
                   );
        }

        if (is_int($permission)) {
            $permission = $permissionClass->findById(
                $permission,
                $guardName ?? $this->getDefaultGuardName()
            );
        }

        if (!$permission instanceof PermissionContract) {
            throw new PermissionDoesNotExist();
        }

        return $this->hasDirectPermission($permission) || $this->hasPermissionViaRole($permission);
    }

The trait includes the HasRoles trait. I override the hasPermissionTo method to account for multiple permissions under the same name.
In addition I add a method to assign a permission of a specific tier, a method to get the highest tier a user has in case they have multiple of the same permission, and lastly a method to get the limit of a permission.

Example Usage:

$tier1 = Permission::create(['name' => 'download', 'tier' => 1, 'limit' => 5]);
$tier2 = Permission::create(['name' => 'download', 'tier' => 2, 'limit' => 10]);

$user->givePermissionWithTier('download', 1);

$user->hasPermissionTo('download'); // true
$user->hasPermissionTo($tier1); // true
$user->hasPermissionTo($tier2); // false

$user->getPermissionLimit('download'); // 5

I enjoyed hacking on this hopefully it'll be useful to someone.

[erikn69]

Looks great, but why don't use the cache everywhere? less db calls, better performance

-$permissionClass = $this->getPermissionClass();
-$permission = $permissionClass::where([
-    'name' => $permission,
-    'tier' => $tier,
-])->first();
+$permission  = $this->getPermissionClass()::getPermissions([
+    'name' => $permission,
+    'tier' => $tier,
+], true)->first();

return $this->getPermissionClass()
-      ::where('name', $permission)
-      ->get()
+      ::getPermissions(['name' => $permission])
      ->reduce(function ($carry, Permission $permission) {

[ChristianPavilonis]

Ah, I'll have to try that.

[erikn69]

Don't forget composer update 👍

https://github.com/spatie/laravel-permission/releases/tag/5.5.4

• Support custom fields on cache #2091