Architecture design - Laravel framework is used for e-commerce applications, social applications, community applications, etc. What are the differences in the design of security authorization systems (authorization)?

Question

I have been learning laravel recently and am confused about the authorization system that comes with laravel. I would like to ask something.

Knowledge Overview:

Access control model:
There are three main access control types: discretionary access control (DAC), mandatory access control (MAC) and role-based access control (RBAC).

1、自主访问控制     自主访问控制（Discretionary Access

Control (DAC) is an access control service that performs authorization of access to system resources based on the identity of system entities. Includes setting permissions on files, folders and shared resources. Users have the right to access access objects such as files and data tables created by themselves, and can grant or revoke their access rights to other users. The owner of an access object is allowed to formulate a control policy for access to the object. Usually, an access control list can be used to limit the operations that can be performed on the object.

2、强制访问控制

Mandatory Access Control (MAC) is a system that forces subjects to obey access control policies. It is the system that controls user permissions and access to operating objects according to prescribed rules for objects created by users. The main feature is to implement mandatory access control on all subjects and the processes, files, segments, devices and other objects they control.

3. Role-based access control

Role is a collection of a certain number of permissions. Refers to the collection of resources and corresponding operation permissions that must be accessed to complete a task. Roles serve as a proxy layer for users and permissions, expressing the relationship between permissions and users. All authorizations should be given to roles rather than directly to users or user groups. RBAC later became RBAC0, RBAC1, RBAC2, etc.

4、基于属性的访问控制ABAC        

5. Policy-based access control PBAC, etc.

Question:
1. Which authorization model does the authorization system of social networking websites such as Renren, Zhihu, twitter, etc. prefer to use?

2. Which authorization model do e-commerce authorization systems like Tmall, Mogujie, etc. prefer to use?

3. Most frameworks come with an Authorization authorization system (mostly authorization systems based on ACL technology), but most of them are not RBAC model systems. If I directly use the authorization system that comes with the framework, such as the one in Laravel 5.1.11 (Gate/Policy, etc. - acl-based authorization system), and start making social and e-commerce applications, what problems should I solve?

4. Using the "...built-in authorization system" mentioned in 3., how to solve the design problem of the authorization part of the website's backend management? Most applications are roughly divided into frontend (user, public interface) and backend (admin management) and superadmin (root site, super administrator). What about the permission issues of different roles?

Answer 1