Roles & Permissions

Lyceum Guardian uses Spatie Laravel Permission for role-based access control. This allows granular control over what each user can access and modify.

Default Roles

Super Admin

Access: Full system access
Permissions: ALL permissions
Use Case: System administrators, owners

Admin

Access: Day-to-day operations except user management
Permissions:
- All student operations
- All enrollment operations
- All invoice operations
- All transaction operations
- All credit note operations
- All package operations
- Payment config (view, edit)
- View branches and grades
Use Case: Operations managers, senior staff

Branch Manager

Access: Branch-level student and enrollment management
Permissions:
- Students (view, create, edit)
- Enrollments (view, create, edit)
- Invoices (view only)
- Transactions (view only)
- Packages (view only)
Use Case: Branch-level administrators

Finance Officer

Access: All financial operations
Permissions:
- Students (view only)
- Enrollments (view only)
- Invoices (view, edit, void)
- Transactions (view, create, edit, delete)
- Credit notes (view, create, edit, delete)
- Payment configs (view, edit)
Use Case: Finance team, accountants

Receptionist

Access: Front desk enrollment operations
Permissions:
- Students (view, create)
- Enrollments (view, create)
- Invoices (view only)
- Packages (view only)
Use Case: Front desk staff

Viewer

Access: Read-only access
Permissions: View all resources
Use Case: Auditors, observers, reporting staff

Permission Categories

Students

view-students - View student list and details
create-students - Create new students
edit-students - Edit student information
delete-students - Delete students

Enrollments

view-enrollments - View enrollments
create-enrollments - Create new enrollments
edit-enrollments - Edit enrollments
delete-enrollments - Delete enrollments
approve-enrollments - Approve enrollments

Invoices

view-invoices - View invoices
edit-invoices - Edit invoice details
delete-invoices - Delete invoices
void-invoices - Void invoices

Transactions

view-transactions - View transactions
create-transactions - Record transactions
edit-transactions - Edit transactions
delete-transactions - Delete transactions

Credit Notes

view-credit-notes - View credit notes
create-credit-notes - Create credit notes
edit-credit-notes - Edit credit notes
delete-credit-notes - Delete credit notes

Packages

view-packages - View packages
create-packages - Create packages
edit-packages - Edit packages
delete-packages - Delete packages

Payment Configs

view-payment-configs - View payment configurations
edit-payment-configs - Edit payment configurations

Users

view-users - View user list
create-users - Create new users
edit-users - Edit user information
delete-users - Delete users
assign-roles - Assign roles to users

Managing Roles

Via Admin Panel

Navigate to Admin → Roles & Permissions
Create, edit, or delete roles
Assign permissions to roles
Navigate to Admin → Users
Create users and assign roles

Via Code

use Spatie\Permission\Models\Role;
use Spatie\Permission\Models\Permission;

// Create a new role
$role = Role::create(['name' => 'Custom Role']);

// Create a new permission
$permission = Permission::create(['name' => 'custom-permission']);

// Assign permission to role
$role->givePermissionTo('custom-permission');

// Assign role to user
$user->assignRole('Custom Role');

Using Permissions

In Controllers/Components

public function mount()
{
    if (!auth()->user()->can('view-invoices')) {
        abort(403, 'Unauthorized action.');
    }
}

In Blade Templates

@can('create-students')
    <flux:button wire:click="createStudent">
        Create Student
    </flux:button>
@endcan

In Routes

Route::get('/invoices', InvoiceList::class)
    ->middleware('can:view-invoices')
    ->name('invoices.list');

Super Admin Bypass

Super Admin role automatically has all permissions through a Gate check:

Gate::before(function ($user, $ability) {
    return $user->hasRole('Super Admin') ? true : null;
});

Default Super Admin

Field	Value
Email	`[email protected]`
Password	`password`

Important: Change these credentials immediately after first login!

Seeding Roles

Run the seeder to create default roles and permissions:

php artisan db:seed --class=RolesAndPermissionsSeeder

Cache Management

Clear permission cache after changes:

php artisan cache:forget spatie.permission.cache

Or in code:

app()[\Spatie\Permission\PermissionRegistrar::class]
    ->forgetCachedPermissions();

Best Practices

Always check permissions in component mount() methods
Use @can directives in Blade templates
Apply middleware to routes for additional protection
Follow least privilege - give minimum required permissions
Log permission denials for security auditing
Regularly review role permissions

Admin Logs - Track user activities
Installation - Initial setup

Roles & Permissions

On this page