Laravel extension recommendation: role and permission management tool "Bouncer"

After years of development, 56 releases, 1.3 million downloads, and over 2,800 active followers Bouncer has finally arrived at version 1.0. It has been extremely reliable and stable for quite some time, and is used in production by countless apps around the world.

This is a personal update containing some of my thoughts over the years - from inception to final release. For technical information on how to use Bouncer every day, check out the extensive documentation or listen to my discussion with Matt Stover on The Laravel Podcast.

---

What is Bouncer?

#Before starting my personal journey, here is a brief introduction to what Bouncer is and How it fits into the larger Laravel ecosystem.

Bouncer is an open source package for dynamically managing roles and permissions in a database, fully integrated with Laravel's Gate.

Without going into too much detail, here is a short list of some of its main features:

• Simple abilities:

  Bouncer::allow($user)->to('access-dashboard');

• Model abilities:

  Bouncer::allow($user)->to('view', Invoice::class);
  Bouncer::allow($user)->to('delete', $invoice);

• Flexible roles :

  Bouncer::allow('admin')->everything();
  Bouncer::assign('admin')->to($user);

• Forbidding abilities:

  Bouncer::allow($user)->to('view', Invoice::class);
  Bouncer::forbid($user)->to('view', $confidentialInvoice);

• Powerful ownership:

  Bouncer::allow($user)->toOwn(Post::class);

• Straighforward multi-tenancy:

  Bouncer::scope()->to($tenantId);

• Built-in caching

  Bouncer::cache();

... there are more. For more information, check out the Full Documentation, or just browse the Cheat Sheet.

Bouncer Initial Thoughts

Back in August 2015, Taylor added a new authorization system in Laravel 5.2 called Gate. This provides a nice API for defining permission checks for various operations in your application, simple definition callbacks and complete policies, and Hooks check permissions throughout the system based on what you define.

When I started using it, I knew this would be the future of ACL for all Laravel applications. It's great that Taylor has this amazing feel for clear and intuitive APIs, and the "Gate" abstraction really reveals that.

However, the built-in authorization system is missing one thing: dynamic permissions, stored in a database. The way Gate is built, all checks are performed by hard-coded functions defined in the application, so there's no way for your admin to control any of them at runtime via some dashboard UI. As Taylor's original commit clearly states:

[Built-in Gate] provides a structure for organizing logic that authorizes operations on entities. It does not make any decisions on the definition of "user roles".

At the time, there were many other popular ACL operating systems that supported adjusting permissions at runtime, but they had one major drawback: they were all in Laravel's Gate Built before. They are completely separate systems; if you decide to use them, you give up all the details and beautiful integration that Laravel's gate provides.

So I decided to build an open source package that gives you the best of both worlds: dynamic database-driven permissions, fully integrated with Laravel's gate. We've made some improvements to gate checking in Laravel 5.3 to make it more streamlined and predictable, making it easier to store these functions in the database.

Bouncer’s name and logo

I thought of the name “Bouncer” very early on. Bodyguard's job is to provide security at the door and check people's permissions. So this is a very natural pairing with "Gate" in Laravel.

Interestingly enough, the logo designer I was working with at the time (who was not a native English speaker) didn't get the reference. Here are some of the original logos he designed:

The two on the right were obviously inspired by the bouncing action.

After quickly clarifying the meaning of the word bodyguard, we started iterating on the actual bodyguard logo. We tried friendly bouncers, threatening bouncers, bearded bouncers, square-jawed bouncers, and tons of different variations. Here are just a few:

I absolutely love what we ended up with:

It exudes a strong sense of security sense, but its roundness makes it feel friendlier and less threatening

技术基础

Bouncer's 的存在理由是与 Laravel 的 gate 无缝集成的。为了实现这一点，我心中的只有一个目标：在为用户分配角色和能力时，您只需和 Bouncer 进行交互。对于实际的授权检查，整个系统中 Laravel 的钩子应该自动工作，而不需任何特殊的 Bouncer 语法。ically, without any special Bouncer syntax.

将 Bouncer 挂钩到 Laravel 的 gate 检查方式是相当简单的。Gate 让你定义 一个全局的 before 回调，它将会在任何您定义的检查之前被调用：如果您的 before 回调允许或不许与某个操作，则不会运行进一步检查。

虽然 before 回调最初是为 「允许管理员执行所有操作」之类的东西而设计的，但我立即意识到这将是连接动态检查的理想场所，允许我查询数据库以获得任何权限。这就是它最初的工作方式（我们后来将其切换为使用 after 回调 - 你可以阅读更多关于 在此线程）

文档

从一开始，文档对我来说就非常重要。 开源项目的生死取决于他们的文档，所以我希望 Bouncer 的文档尽可能做到最好。尤其是在 Laravel 生态系统中，Taylor 为细致的文档设定了极高的标准。

在某种程度上，清晰的文档有时甚至比代码本身更重要。如果不告诉你的用户如何使用你的工具，他们中很少有人会使用源代码来解决这个问题。他们只会继续做下一件事。

我将 Bouncer 的成功很大程度上归功于清晰的文档，但在这方面还有很多工作要做。作为创建者，对整个谜题有一个清晰的了解，很容易忘记刚接触该工具的人会遇到什么困难。

例如：如前所述，Bouncer 仅用于为用户分配角色和权限。实际的授权检查将像在任何标准 Laravel 应用程序中一样处理。所以我想我不必重复所有这些，因为 Laravel 文档中清楚地概述了它。尽管如此，我仍然看到人们为此苦苦挣扎。他们设置了自己的角色和权限，然后不知道从哪里开始。这是我仍然想在文档中充实的一个领域。

准备发布

将 1.0 版本推迟到现在对我的用户造成了伤害。 Bouncer 多年来一直很稳定，并在世界各地的生产中积极使用。 然而，我总是犹豫要不要发布它，因为我知道我想添加的东西太多了。 我在 播客 上与 Matt 详细讨论了这个问题：我掉进了想要在发布之前让它变得完美的陷阱，这显然是 不可能的。 正如伏尔泰 已警告：「完美是良好的敌人」。

因此，当我发布 Bouncer 1.0 版时，我仍然希望在初始版本中包含 2 个出色的功能，但没有成功：

• 每个模型的角色。 很长一段时间以来，人们一直在吵着要一种方法，只为给定的模型（或模型类）分配角色给用户。 这是该代码的样子：

  // 注意：这还没有实现
  Bouncer::allow('editor')->to(['view', 'edit'])->everything();
  Bouncer::assign('editor')->to($user)->for(Invoice:class);

  这样，用户就可以查看和编辑所有发票，但不能做其他任何事情。 当然，这现在可以在没有角色的情况下直接完成，但通过角色来完成会提供另一层灵活性。

  我已经尝试过多次解决这个问题，但结果非常棘手，因为缓存变成了一场真正的噩梦。 我仍然希望有一天能解决它。 走着瞧。

• 能力限制。 允许对给定能力进行任意限制将增加更精细的控制：

  // 注意：这还没有实现
  Bouncer::allow($user)
  ->to('view', Post::class)
  ->where('is_confidential', false);

  If you explore the Bouncer source code, you'll find some code and tests where I started implementing this. It's far from complete, but stay tuned.

Overall, Bouncer is in a really good spot. Every good product has a long roadmap, and it's foolish and unrealistic to think that I can get to the end of that road before releasing 1.0.

Enjoy using it!

Okay, that’s it. I hope you try using Bouncer in your applications and enjoy using it. Bouncer's API is designed to be like prose, and each method call reads like a proper English sentence. Give it a try and let me know if you feel this way too!

[Related recommendations: laravel video tutorial]

The above is the detailed content of Laravel extension recommendation: role and permission management tool "Bouncer". For more information, please follow other related articles on the PHP Chinese website!