Small businesses like us face the following problems:
We’re working on an Employee Portal to solve all the above problems for us. And we’re building it using what we know best: Laravel.
Laravel has helped us build meaningful ideas for ambitious people. Some from scratch, some that were already built, some that were dying but survived because we rewrote them in Laravel. Laravel provides a huge amount of ammunition to any developer. The inbuilt features are enough to make a robust application. On top of that, there are loads of community packages built only for Laravel. But the best thing about Laravel is not the features or packages, it’s the documentation.
With this tech decision so early in the application lifecycle, it was easy for us to architect everything around Laravel.
When we solve a problem, a new one shows up.
Talking about Employee Portal, we recently finished the Reports section for finances. From a single screen, we can now track our monthly invoices, cash inflow from local and foreign clients, individual project details, dues, GST and other taxes, bank charges etc. Our external accountant (let’s call him Saurav) needed access to the reports section. ONLY, the reports section. We didn’t want him to access HR data, knowledge sharing data, clients, and projects information.
Clearly, the platform needed an Access Control Mechanism. And that’s where Laravel made it easy.
Going through our cataloged items, I figured we had already researched a lot on implementing ACL in Laravel. A year ago, while working on a Laravel based healthcare project, Tushar did some research and also wrote an article on how he implemented a modified role-based access control.
We figured we can follow the conventional way of ACL, using roles and permissions. We need to create the following tables:
Before I started working on a custom roles and permissions package using Tushar’s implementation, I looked at existing solutions in the Laravel community. Laravel News mentioned the two best roles and permissions package:
I’ve been a continuous follower of Spatie and especially their open source. Our team recently spoke at LaravelLive India and I got chance to meet Freek there. So, I was naturally more inclined to go with Spatie’s package than Bouncer. With just a brief look at the laravel-permission package, we figured that it aligned with our theory above and can be used in Employee Portal.
Installing the package was a breeze. The documentation is up-to-date and easy to follow. Then we figured what default roles and permissions should be there in Employee Portal. We came up with five roles:
The permissions were common across all modules. Each entity has a set of CRUD permissions. For example, projects have,
projects.delete. Using the laravel-permission package along with Laravel’s inbuilt authorization support, we were able to create a hybrid solution that aligned perfectly with our need.
We used Laravel Socialite to log in users automatically into the portal using their GSuite email. Saurav doesn’t have a ColoredCow email. We had two options:
Technology is expected to lower down the business expenses. And that’s why everyone would go for the second option. So did we.
While implementing Socialite, we did some changes to the `users` table and added two new columns
provider_id. The provider column keeps which third-party tool authenticated the user. It can be Google, GitHub, Facebook etc. In our case, we restricted that only to Google. So, when we register a new user using Laravel’s native registration, we set the provider to “default”.
We assigned roles and permission in such a way that only certain roles should be able to see certain modules/entities. For example, an HR manager shouldn’t see the finances, only a super-admin can create a new user, employees can only see active projects, knowledge sharing, library etc.
The new login page:
How a super-admin sees the dashboard:
How Saurav sees the dashboard:
When we granted Saurav access on Employee Portal, seeing all the summations, dues, and individual invoice details, I can tell there was happiness in his eyes. He knew he doesn’t have to do the repetitive boring calculations anymore.
We asked him what else can be done to make his work easier and he proposed some additions. We added client’s GST number, a link to directly download the invoice and some other finer details that he required.
We’ve completed the first version of ACL. Here’s the plan next: