# Roles and Permissions In default QuickAdminPanel generator, we generate two user roles - **Administrator** and **Simple User**. They both have the same permissions for all CRUDs and Modules, except for User Management which is available **only** for administrator. The whole Permissions system is stored in the database in these DB tables: * permissions * roles * permission\_role * role\_user ![](https://laraveldaily.com/wp-content/uploads/2019/03/roles-permissions.png) ![](https://laraveldaily.com/wp-content/uploads/2019/03/roles-permissions-pivot.png) Every CRUD has five default permissions generated: * **\*\_access** (whether user sees menu item in sidebar) * **\*\_create** (whether user can access create form and add new record) * **\*\_edit** (whether user can access edit form and update existing record) * **\*\_show** (whether user can access "show" page of a record) * **\*\_delete** (whether user can delete records) \ These records are seeded with Seeder files, see examples below: ![](https://laraveldaily.com/wp-content/uploads/2019/03/roles-permissions-seed-permission.png) ![](https://laraveldaily.com/wp-content/uploads/2019/03/roles-permissions-seed-pivot.png) If you want to change permissions in downloaded panel, you can log in as Administrator user and go to menu item User Management -> Roles, and then assign all permissions you want to a particular role, by editing it. ![](https://laraveldaily.com/wp-content/uploads/2019/03/roles-permissions-editing.png) In the generated code, we check the permissions in every method of Controller, see **Gate** and **abort\_unless()** methods in example: ``` class BooksController extends Controller { public function index() { abort_unless(\Gate::allows('book_access'), 403); $books = Book::all(); return view('admin.books.index', compact('books')); } public function create() { abort_unless(\Gate::allows('book_create'), 403); return view('admin.books.create'); } public function store(StoreBookRequest $request) { abort_unless(\Gate::allows('book_create'), 403); $book = Book::create($request->all()); return redirect()->route('admin.books.index'); } public function edit(Book $book) { abort_unless(\Gate::allows('book_edit'), 403); return view('admin.books.edit', compact('book')); } public function update(UpdateBookRequest $request, Book $book) { abort_unless(\Gate::allows('book_edit'), 403); $book->update($request->all()); return redirect()->route('admin.books.index'); } public function show(Book $book) { abort_unless(\Gate::allows('book_show'), 403); return view('admin.books.show', compact('book')); } public function destroy(Book $book) { abort_unless(\Gate::allows('book_delete'), 403); $book->delete(); return back(); } } ``` On top of that, we add a check in [Form Request classes](https://laravel.com/docs/validation#creating-form-requests), see example: ``` class StoreBookRequest extends FormRequest { public function authorize() { return \Gate::allows('book_create'); } } ``` For more information, how Gates work in Laravel, see [official Laravel documentation](https://laravel.com/docs/authorization#writing-gates).