Access Control

laravel-admin has built-inRBAC permissions control module, expand the left sidebar Auth, you can see user, permissions and roles management panel, the use of permissions control as follows:

Route permission

In the laravel-admin 1.5, the permissions and routes are bound together, in the edit permission page which set the current permissions can access the routing, in the HTTP method select box to select the method of access to the path, in the HTTP path textarea fill in the path to access.

For example, to add a permission, the permission can access the path /admin/users in GET method, then HTTP method select GET, HTTP path fill in /users.

If you want to access all paths with the prefix /admin/users, then the HTTP path fill in /users*, if the permissions include multiple access paths, wrap the line for each path.

Page permission

If you want to control the user's permissions in the page, you can refer to the following example


For example, there is now a scene, here is a article module, we use create articles as an example

At first open http://localhost/admi/auth/permissions, fill up slug field with text create-post, and Create post in name field, then assign this permission to some roles.

In your controller action:

use Encore\Admin\Auth\Permission;

class PostController extends Controller
    public function create()
        // check permission, only the roles with permission `create-post` can visit this action


If you want to control the page elements of the user's display, then you need to first define permissions, such as delete-image and view-title-column, respectively, to control the permissions to delete pictures and display a column in grid, then assign these two permissions to roles, add following code to the grid:

$grid->actions(function ($actions) {

    // The roles with this permission will not able to see the delete button in actions column.
    if (!Admin::user()->can('delete-image')) {

// Only roles with permission `view-title-column` can view this column in grid
if (Admin::user()->can('view-title-column')) {

Other methods

Get current user object.


Get current user id.


Get user's roles.


Get user's permissions.


User is role.


User has permission.


User don't has permission.


Is user super administrator.


Is user in one of roles.

Admin::user()->inRoles(['editor', 'developer']);

Permission middleware

You can use permission middleware in the routes to control the routing permission

// Allow roles `administrator` and `editor` access the routes under group.
    'middleware' => 'admin.permission:allow,administrator,editor',
], function ($router) {

    $router->resource('users', UserController::class);


// Deny roles `developer` and `operator` access the routes under group.
    'middleware' => 'admin.permission:deny,developer,operator',
], function ($router) {

    $router->resource('users', UserController::class);


// User has permission `edit-post`、`create-post` and `delete-post` can access routes under group.
    'middleware' => 'admin.permission:check,edit-post,create-post,delete-post',
], function ($router) {

    $router->resource('posts', PostController::class);


The usage of permission middleware is just as same as other middleware.