PHPackages                             sefirosweb/laravel-access-list - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication &amp; Authorization](/categories/authentication)
4. /
5. sefirosweb/laravel-access-list

ActiveLibrary[Authentication &amp; Authorization](/categories/authentication)

sefirosweb/laravel-access-list
==============================

Package for made a simply crud database for advance access list for application with middleware check

v13.0.3(1mo ago)0212MITTypeScriptPHP ^8.3CI passing

Since Dec 19Pushed 1mo ago1 watchersCompare

[ Source](https://github.com/sefirosweb/laravel-access-list)[ Packagist](https://packagist.org/packages/sefirosweb/laravel-access-list)[ RSS](/packages/sefirosweb-laravel-access-list/feed)WikiDiscussions 13.x Synced today

READMEChangelogDependencies (3)Versions (35)Used By (0)

Laravel Access List
===================

[](#laravel-access-list)

ACL package for Laravel: roles, access lists, and a route middleware to gate your app by permission name.

The design goal is to stay out of your auth flow — this package does **not** manage users, sessions or authentication. It only answers the question *"does the currently authenticated user have access to ACL `foo`?"*.

Requirements
------------

[](#requirements)

- PHP `^8.3`
- Laravel `^13.0`

Older majors of Laravel live on separate branches (`12.x`, `9.x`) and only receive critical fixes.

Installation
------------

[](#installation)

```
composer require sefirosweb/laravel-access-list:^13.0
```

The service provider auto-registers via Laravel's package discovery.

Run the migrations:

```
php artisan migrate
```

This creates four tables and seeds two roles and three access lists:

RoleSeeded access lists`admin``admin``acl``acl_view`, `acl_edit`The `admin` access list is a superuser marker: any user whose roles include it passes every `checkAcl:*` check regardless of the ACL name.

Configuration
-------------

[](#configuration)

Publish the config if you want to change the prefix, middleware stack, or override the user model:

```
php artisan vendor:publish --provider="Sefirosweb\LaravelAccessList\LaravelAccessListServiceProvider" --tag=config --force
```

Default `config/laravel-access-list.php`:

```
return [
    'prefix' => 'acl',
    'middleware' => ['web', 'auth', 'checkAcl:acl_edit'],
    'AccessList' => Sefirosweb\LaravelAccessList\Http\Models\AccessList::class,
    'Role'       => Sefirosweb\LaravelAccessList\Http\Models\Role::class,
    'User'       => Sefirosweb\LaravelAccessList\Http\Models\User::class,
];
```

- `prefix`: the URL prefix for the bundled admin UI (`/acl/...`).
- `middleware`: the middleware stack applied to those routes.
- `AccessList` / `Role` / `User`: model classes the package resolves at runtime. The defaults point to the bundled models so the package works out of the box. See *Customizing the User model* below if you want to use your own.

Publish the admin UI assets:

```
php artisan vendor:publish --provider="Sefirosweb\LaravelAccessList\LaravelAccessListServiceProvider" --tag=acl-assets --force
```

Customizing the User model
--------------------------

[](#customizing-the-user-model)

The package ships with `Sefirosweb\LaravelAccessList\Http\Models\User`, fully usable out of the box. Most production apps will want to point at their own `App\Models\User` instead (so it carries auth scaffolding, custom columns, casts, etc.). This follows the same pattern as `spatie/laravel-permission`: the config defaults to the package's model, you override it for your app.

### Recommended: extend the package model

[](#recommended-extend-the-package-model)

This is the simplest and most forward-compatible way — your model inherits `roles()`, `getRules()`, `changeRules()`, `$fillable`, `$hidden` for free, and you only redeclare what you need to customize.

```
// app/Models/User.php
namespace App\Models;

use Sefirosweb\LaravelAccessList\Http\Models\User as AccessListUser;

class User extends AccessListUser
{
    // Your own casts, fillable, scopes, accessors...
}
```

```
// config/laravel-access-list.php
'User' => App\Models\User::class,
```

That's it. The bundled `/acl` UI now operates on your `App\Models\User`.

### Alternative: keep your model independent

[](#alternative-keep-your-model-independent)

If you can't extend (e.g. your `App\Models\User` already extends a base class from another package), the bundled `UserController` is **tolerant** — it guards calls to `getRules()` / `changeRules()` with `method_exists()`, so missing those methods just disables the package's input validation (you can plug in your own `FormRequest` instead). The only hard requirement is the `roles()` relation, used by the "Roles del user" modal:

```
namespace App\Models;

use Illuminate\Database\Eloquent\Relations\BelongsToMany;
use Illuminate\Foundation\Auth\User as Authenticatable;

class User extends Authenticatable
{
    public function roles(): BelongsToMany
    {
        return $this->belongsToMany(
            config('laravel-access-list.Role'),
            'user_has_role'
        );
    }

    // Optional helpers if you want to call $user->hasAcl('foo') from your code:
    public function hasAcl(string $acl): bool { /* ... */ }
}
```

If you also want the package to validate user input on `POST /acl/users` and `PUT /acl/users`, add the static `getRules()` and instance `changeRules()` methods (signatures match the bundled User).

Usage
-----

[](#usage)

### 1. Protect routes with the `checkAcl` middleware

[](#1-protect-routes-with-the-checkacl-middleware)

The service provider registers the middleware alias `checkAcl` automatically.

```
Route::get('/admin/reports', fn () => view('reports'))
    ->middleware(['auth', 'checkAcl:reports_view']);
```

Behaviour when denied:

- JSON / AJAX requests → `401` with `{"message": "You don't have permissions for this site"}`.
- Regular requests → redirect to `/`.

### 2. Manage roles and access lists programmatically

[](#2-manage-roles-and-access-lists-programmatically)

```
use Sefirosweb\LaravelAccessList\Http\Models\AccessList;
use Sefirosweb\LaravelAccessList\Http\Models\Role;

$acl  = AccessList::create(['name' => 'reports_view', 'description' => 'View reports']);
$role = Role::create(['name' => 'analyst',       'description' => 'Analytics staff']);

$role->access_lists()->attach($acl);
$user->roles()->attach($role);

// Now the analyst can access any route protected by `checkAcl:reports_view`.
```

### 3. Manage from the bundled UI

[](#3-manage-from-the-bundled-ui)

After publishing assets and enabling the package routes, browse to `/acl` to use the bundled admin UI for creating roles, access lists, and assigning them to users.

The UI is a React 19 + TanStack Query SPA, fully self-contained — no CDN, no external assets. It talks to the package's REST endpoints under `/acl/*`. Translations ship in ES and EN with browser-language detection and a manual switcher in the top nav.

**Users**

[![Users listing](docs/screenshots/users-list.png)](docs/screenshots/users-list.png)

**Groups (a.k.a. roles)**

[![Groups listing](docs/screenshots/groups-list.png)](docs/screenshots/groups-list.png)

**Access lists**

[![Access lists](docs/screenshots/accesses-list.png)](docs/screenshots/accesses-list.png)

**Relations drawer** — click the count badge on any row to open a searchable, paginated picker with a *Name / Assigned* sort toggle. Toggles are optimistic with rollback on error.

[![Relation picker](docs/screenshots/relation-picker.png)](docs/screenshots/relation-picker.png)

#### Soft-deleted users

[](#soft-deleted-users)

If your `User` model uses `Illuminate\Database\Eloquent\SoftDeletes`, the listing exposes an *Active / All / Deleted* segmented filter and trashed rows show a "Deleted" badge plus a Restore action. The package detects soft delete support automatically by inspecting the configured model's traits (`GET /acl/get_user_fillable_data` returns the schema the form should render).

#### Custom user columns

[](#custom-user-columns)

The Edit/New drawer renders form inputs from the `$fillable` of the configured `User` model. If your `App\Models\User` adds extra columns, they show up automatically with the right input type (string → text, hidden → password, int → number, timestamp → datetime). No need to fork the package frontend.

#### Demo seeder

[](#demo-seeder)

For local development the package ships `Sefirosweb\LaravelAccessList\Seeders\AclDemoSeeder` (100 users, 15 roles, 50 access lists with random many-to-many wiring). Run it from your host's `DatabaseSeeder`:

```
$this->call(\Sefirosweb\LaravelAccessList\Seeders\AclDemoSeeder::class);
```

Or directly: `php artisan db:seed --class="Sefirosweb\\LaravelAccessList\\Seeders\\AclDemoSeeder"`. The seeder is idempotent on roles and access lists (`firstOrCreate`) and skips inserting users when the table already has 100 rows, so it's safe to re-run.

### 4. Check ACL from your own code

[](#4-check-acl-from-your-own-code)

```
$user = request()->user();

if ($user->hasAcl('reports_view')) {
    // ...
}
```

Testing
-------

[](#testing)

The package ships an Orchestra Testbench suite covering middleware behaviour, migrations, and role management.

```
composer install
./vendor/bin/phpunit
```

The full suite uses SQLite `:memory:` and does not need a host Laravel app.

When working from the [laravel-test](https://github.com/sefirosweb/laravel-test) harness with Sail:

```
docker exec -w /var/www/html/packages/laravel-access-list laravel-test-laravel.test-1 ./vendor/bin/phpunit
```

Versioning
----------

[](#versioning)

Major versions are aligned with Laravel majors (`13.x`, `12.x`, `11.x`, `9.x` …). See the root [CLAUDE.md](https://github.com/sefirosweb/laravel-test/blob/13.0/CLAUDE.md) of the test harness for the full policy.

License
-------

[](#license)

MIT.

###  Health Score

50

—

FairBetter than 95% of packages

Maintenance89

Actively maintained with recent releases

Popularity12

Limited adoption so far

Community7

Small or concentrated contributor base

Maturity77

Established project with proven stability

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~48 days

Recently: every ~0 days

Total

34

Last Release

56d ago

Major Versions

0.0.5 → 1.2.12022-08-22

v1.4.0 → 9.x-dev2024-04-16

9.x-dev → v12.0.02026-04-23

v12.0.3 → v13.0.02026-05-09

PHP version history (2 changes)v12.0.0PHP ^8.2

v13.0.0PHP ^8.3

### Community

Maintainers

![](https://www.gravatar.com/avatar/e00c36bae7e59a7375c9bc0e0280ef4004afa4ca968ea6cd62f7d880df2dbd66?d=identicon)[sefirosweb](/maintainers/sefirosweb)

---

Top Contributors

[![sefirosweb](https://avatars.githubusercontent.com/u/20754836?v=4)](https://github.com/sefirosweb "sefirosweb (97 commits)")

###  Code Quality

TestsPHPUnit

### Embed Badge

![Health badge](/badges/sefirosweb-laravel-access-list/health.svg)

```
[![Health](https://phpackages.com/badges/sefirosweb-laravel-access-list/health.svg)](https://phpackages.com/packages/sefirosweb-laravel-access-list)
```

###  Alternatives

[statamic-rad-pack/runway

Eloquently manage your database models in Statamic.

135224.7k7](/packages/statamic-rad-pack-runway)[jeremy379/laravel-openid-connect

OpenID Connect support to the PHP League's OAuth2 Server. Compatible with Laravel Passport.

59437.0k9](/packages/jeremy379-laravel-openid-connect)[duncanmcclean/statamic-cargo

Comprehensive e-commerce addon for Statamic. Build bespoke e-commerce sites without the complexity.

3417.0k](/packages/duncanmcclean-statamic-cargo)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
