Users & Roles
Manage admin accounts, assign roles, and configure permissions.
Users
| Route | Method | Purpose |
|---|---|---|
/admin/users | GET | List users (paginated, searchable, role filter) |
/admin/users/create | GET | New user form |
/admin/users | POST | Create user |
/admin/users/{user}/edit | GET | Edit user form |
/admin/users/{user} | PUT | Update user |
/admin/users/{user} | DELETE | Soft delete user |
Fields
- name — display name
- email — unique, required
- password — required on create, optional on update
- avatar — uploaded file (stored via media library)
- is_active — disables login when false
- roles[] — one or more roles (multi-select)
Roles
| Route | Method | Purpose |
|---|---|---|
/admin/roles | GET | List roles |
/admin/roles/create | GET | New role form |
/admin/roles | POST | Create role |
/admin/roles/{role}/edit | GET | Edit role form (permission matrix) |
/admin/roles/{role} | PUT | Update role + permissions |
/admin/roles/{role} | DELETE | Delete role (only if no users assigned) |
Permission matrix
Permissions are stored as a JSON map on roles.permissions, with one boolean per ability:
{
"users.view": true,
"users.create": true,
"users.update": true,
"users.delete": false,
"content.view": true,
"content.create": true,
"content.publish": true,
"content.delete": false,
"media.view": true,
"media.upload": true,
"media.delete": false,
"settings.manage": false,
"api-keys.manage": false,
"webhooks.manage": false,
"languages.manage": false,
"activity.view": true
}Checking permissions
// In controller
if (! auth()->user()->can('content.publish')) {
abort(403);
}
// In Blade
@can('media.delete')
<button class="text-red-600">Delete</button>
@endcanDefault roles
- Super Admin — all permissions; not deletable.
- Editor — content + media; no system settings.
- Author — create/update own entries; no publish, no delete.
Cascade behaviorDeleting a user soft-deletes; pivot rows in
user_roles are removed via observer to avoid orphans. Deleting a role is blocked if any user has it assigned — reassign first.