how to check if user has role or permission in blade laravel
Stefan Bogdanescu
Founder & Senior Architect · 2026-06-29
Mastering Authorization in Blade: How to Check Roles and Permissions Simultaneously with Laratrust
As senior developers working with Laravel, managing user access—determining what a user is allowed to see or do—is fundamental. When integrating authorization packages like Laratrust, we often need to display different content or links based on a combination of roles and specific permissions.
This post dives into the specific scenario you raised: how to check if a user possesses both a specific role and a particular permission simultaneously within a Blade view using Laratrust directives.
Understanding Roles vs. Permissions in Laravel
Before diving into the combined check, it’s important to understand the distinct roles of roles and permissions. In authorization systems:
- Roles: Define a broad category (e.g., 'admin', 'editor', 'guest'). Roles are typically used for high-level access segmentation.
- Permissions: Define specific actions that can be performed (e.g.,
create_user,edit_posts,delete_items). Permissions define the granular capabilities of a user.
The Laratrust package leverages these concepts to control access. The directives @role('name') and @permission('action') work by evaluating the underlying data stored in your database against the current authenticated user's attributes.
Checking Multiple Conditions in Blade: The || Operator
You asked if you can combine these checks using a logical OR operator, such as:
@role('admin') || @permission('add_user')
The short answer is: Yes, technically, you can use the || operator in Blade.
When evaluating expressions within Blade directives, PHP's logical operators are available. If both conditions evaluate to true, the directive will execute (or render the content).
Practical Example Implementation
Let’s see how this looks in practice:
<div>
{{-- This link will only appear if the user is an 'admin' OR has the 'add_user' permission --}}
@role('admin') || @permission('add_user')
<a href="{{ route('users.create') }}">Create New User</a>
@endrole
{{-- This link will only appear if the user is an 'editor' OR has the 'edit_posts' permission --}}
@role('editor') || @permission('edit_posts')
<a href="{{ route('posts.edit', $post->id) }}">Edit Post</a>
@endrole
</div>
Developer Perspective: Why This Approach Needs Caution
While the syntax above fulfills your request, as senior developers, we must exercise caution when relying heavily on complex logic directly within Blade views for security decisions.
The main drawback of this approach is separation of concerns. The Blade file is primarily responsible for presentation (what to display), not authorization logic (who can see what). When you embed complex || statements, you are mixing business logic with presentation layer code. This makes the code harder to test, maintain, and audit—a principle central to robust Laravel architecture, as emphasized by best practices found on sites like https://laravelcompany.com.
The Recommended Best Practice: Authorization in the Controller/Policy Layer
For true security and scalability, authorization checks should ideally happen before data is fetched or rendered, residing in your application's business logic layer rather than the view itself.
Instead of checking permissions directly in Blade, the recommended pattern involves using Laravel Policies or custom middleware:
- Middleware: Use middleware to block access entirely if a fundamental requirement (like a role) is missing before the request even reaches the controller.
- Policies: Define granular rules within a Policy class that determine if a user has permission for a specific model action.
Example using a hypothetical logic structure:
In your Controller method, you would first check the authorization:
use Illuminate\Support\Facades\Gate;
public function createUserController(Request $request)
{
// Check if the authenticated user has the necessary permission
if (Gate::allows('add_user')) {
// If the permission is true, proceed with the action
$user = User::create($request->all());
return redirect()->route('users.index');
}
// If the permission is false, deny access immediately
abort(403, 'Unauthorized action.');
}
This method ensures that authorization logic is centralized. It adheres to the principle of keeping controllers lean and makes your application significantly more secure and easier to scale, which aligns perfectly with the robust design philosophy promoted by Laravel.
Conclusion
You can certainly combine role and permission checks in Blade using logical operators like ||. However, for applications demanding high security and maintainability, it is strongly recommended to delegate all authorization decisions to the Controller or Policy layer. By keeping your views clean and moving complex decision-making into dedicated service layers, you build a more robust, testable, and scalable Laravel application.