Roles & Permissions
Unfold CMS uses a role-based access control (RBAC) system powered by spatie/laravel-permission. Every user is assigned a role, and each role has a set of permissions that control what the user can do.
Built-in Roles
Unfold CMS ships with five built-in roles, ordered from most to least privileged:
| Role | Description |
|---|---|
| Super Admin | Full access to everything. Cannot be restricted. |
| Admin | Full access to content and settings. Cannot manage other admins. |
| Editor | Can manage all content (posts, pages, comments, media). Cannot access settings or users. |
| Author | Can create and manage their own posts. Cannot edit others' content. |
| User | Basic registered user. Can comment and manage their profile. |
Super Admin vs Admin
The Super Admin role bypasses all permission checks. Admins have broad access but are subject to permission rules and cannot:
- Edit or delete Super Admin accounts
- Change system-level settings that Super Admins have locked
- Access certain infrastructure settings
Permission System
Permission Structure
Permissions follow a module.action naming convention:
posts.view
posts.create
posts.edit
posts.delete
Permission Modules
| Module | Actions | Description |
|---|---|---|
posts |
view, create, edit, delete | Blog post management |
pages |
view, create, edit, delete | Static page management |
categories |
view, create, edit, delete | Category management |
comments |
view, approve, delete | Comment moderation |
media |
view, upload, delete | Media library access |
menus |
view, create, edit, delete | Menu management |
users |
view, create, edit, delete, ban | User management |
roles |
view, create, edit, delete | Role management |
settings |
view, edit | System settings |
templates |
view, edit | Template management |
Checking Permissions
In Blade templates:
@canUser('posts.create')
<a href="/admin/posts/create">New Post</a>
@endcanUser
In PHP code:
canUser('posts.edit'); // Returns boolean
hasRole('admin'); // Check role
isAdmin(); // Admin or Super Admin?
isSuperAdmin(); // Super Admin only?
Managing Roles
Viewing Roles
Navigate to Users > Roles in the admin panel to see all roles with their assigned permissions.
Creating Custom Roles
Click Create Role to define a new role:
- Enter a role name (e.g., "Moderator")
- Select permissions from the available list
- Save the role
Editing Role Permissions
Click on any role to modify its permissions. Check or uncheck individual permissions to customize what the role can do.
Warning: Be careful when modifying the built-in roles. Removing critical permissions from the Admin role may lock administrators out of important features.
Deleting Roles
Custom roles can be deleted. Built-in roles (Super Admin, Admin, Editor, Author, User) cannot be deleted.
Before deleting a role, reassign all users who have that role to a different one.
Assigning Roles
During User Creation
Select a role from the dropdown when creating a new user in the admin panel.
Changing a User's Role
- Navigate to Users > All Users
- Click on the user
- Change the role in the role dropdown
- Save
Default Role
New users who register through the public registration form are assigned the User role by default.
Permission Middleware
Routes in the admin panel are protected by permission middleware. When a user without the required permission tries to access a route, they receive a 403 Forbidden response.
// Route protection example (internal)
Route::middleware('permission:posts.edit')->group(function () {
Route::get('/admin/posts/{post}/edit', [PostController::class, 'edit']);
});
Ownership
Some permissions are ownership-aware. For example, an Author can edit their own posts but not posts created by other users. This is handled by the HasOwnership trait on models.
| Role | Own Content | Others' Content |
|---|---|---|
| Super Admin | Full access | Full access |
| Admin | Full access | Full access |
| Editor | Full access | Full access |
| Author | Full access | View only |
| User | Profile only | No access |
Seeding Roles & Permissions
Roles and permissions are created during installation by the RolePermissionSeeder. This seeder:
- Creates all permission entries
- Creates the five built-in roles
- Assigns appropriate permissions to each role
If roles are missing or corrupted, the seeder can be re-run safely — it uses insertOrIgnore to avoid duplicates.
Related
- User Management — Creating and managing users
- Authentication — Login and security features