Permission Delegation Package
A Laravel package that extends Spatie Permission to answer "What can this user GRANT?" rather than just "What can they DO?". Adds hierarchical delegation with escalation prevention, user creation quotas, and comprehensive audit logging. While Spatie Permission handles role/permission assignment, Ordain adds a delegation layer that validates authority BEFORE allowing assignments. Features Blade directives (@canDelegate, @canAssignRole), route macros, and 5 Artisan commands. Built with DelegationScope value objects for immutable authorization boundaries.
Major features and technical achievements of this project.
Automatic boundary enforcement on delegation
Comprehensive audit trail support
Stateless design for high-performance environments
Blade directives and route macros for seamless integration
Artisan commands for delegation management
User creation limits and boundary controls
The architectural patterns and design decisions behind this project.
Every delegation attempt passes through authorization checks. The system validates that delegators possess the authority they attempt to grant, blocking privilege escalation.
Authority flows strictly downward. Users can only delegate subsets of their own grants, creating an immutable hierarchy that prevents lateral or upward privilege movement.
Complete lifecycle tracking through domain events. Every state change emits events for audit logging, notifications, and external system integration.
Ordain wraps Spatie Permission as a delegation layer. Validates authority BEFORE calling Spatie for actual role/permission assignment. Laravel Gate provides the foundation.
The Delegation facade provides a fluent interface for authorization checks and delegation operations, routing to underlying services.
Seamless integration with Laravel routing and Blade templates. Route macros and directives provide declarative authorization.
Interface Segregation
All services depend on contracts (DelegationServiceInterface, AuthorizerInterface). Enables easy testing with mocks and swapping implementations without changing consumers.
Decorator Pattern
Authorizer wraps delegation operations, validating every action before execution. Separation of authorization logic from business logic.
Event Sourcing Lite
Six distinct events capture delegation lifecycle. Enables audit trails, notifications, and external system integration without coupling.
Data Access Abstraction
RoleRepository and PermissionRepository abstract Spatie Permission internals. Isolates domain from ORM specifics.
DelegationScope Container
DelegationScope encapsulates delegation boundaries (canManageUsers, maxManageableUsers, assignableRoleIds, assignablePermissionIds) as an immutable value object. Ensures consistent authorization state across the application.