// the find
spatie/laravel-permission
Associate users with roles and permissions
The de facto standard RBAC package for Laravel. Stores roles and permissions in the database, wires into Laravel's Gate, and ships with Blade directives, middleware, and artisan commands. Fits any Laravel app that needs user role management beyond simple `is_admin` flags.
- Integrates directly with Laravel's Gate, so $user->can() and @can() Blade directives just work without learning new APIs
- Permission caching is built in and configurable (Redis, array, etc.), which matters a lot at scale since every request would otherwise hit the DB on every auth check
- Teams support is included for multi-tenant scenarios where the same user needs different roles per team/organization
- Test coverage is thorough and well-organized — separate test files for middleware, traits, cache, blade, guards, and policies
- Storing permissions as strings in a DB table and loading them all into cache on every request doesn't scale well past a few hundred permissions — the cache payload grows linearly and any permission change flushes the entire cache
- Multiple guards are supported but the interaction between guards and permissions is genuinely confusing and frequently causes silent failures; the docs acknowledge this but the design is awkward
- No built-in permission hierarchy or inheritance — if you want 'admin' to implicitly have all 'editor' permissions you have to wire that up yourself or assign all permissions individually
- The wildcard permission implementation is a custom class that doesn't interop naturally with the rest of the package's query scopes, making it harder to use in admin UIs that list permissions