ayd/authorize

A shared authorization package for Hyperf and Laravel applications at AYD Company.

Maintainers

Package info

github.com/AYDcompany/authorize

pkg:composer/ayd/authorize

Statistics

Installs: 1

Dependents: 0

Suggesters: 0

Stars: 0

Open Issues: 0

Security

Advisories: 0

Aikido package health analysis

v1.0.0 2026-06-18 12:20 UTC

Requires

Requires (Dev)

Suggests

MIT 3b4828c762478105a7f812bf5f0f5351a1ae79dc

  • George King <george.woop@betterde.com>

This package is not auto-updated.

Last update: 2026-06-18 21:51:32 UTC

README

Shared authorization decision builder for Laravel and Hyperf applications.

The package focuses on API response abilities:

  • RBAC abilities in response.meta.abilities
  • ABAC/resource abilities in response.data[*].abilities
  • A shared decision shape that frontend applications can consume consistently
{
  "abilities": {
    "detail": { "allowed": true },
    "update": {
      "allowed": true,
      "fields": {
        "*": { "allowed": false },
        "title": { "allowed": true },
        "quantity": { "allowed": true }
      }
    },
    "delete": { "allowed": true }
  }
}

Installation

composer require ayd/authorize

For local package development this package expects ayd/api-response-base to be available through the local path repository configured in composer.json.

Core Usage

use Ayd\Authorize\ResourceAbilitiesResolver;

$abilities = ResourceAbilitiesResolver::make()
    ->allow('detail')
    ->fields('update', [
        'title',
        'quantity' => ['allowed' => false, 'reason' => 'Quantity locked'],
    ])
    ->deny('delete', 'Archived')
    ->resolve();

This produces:

[
    'detail' => ['allowed' => true],
    'update' => [
        'allowed' => true,
        'fields' => [
            '*' => ['allowed' => false],
            'title' => ['allowed' => true],
            'quantity' => ['allowed' => false, 'reason' => 'Quantity locked'],
        ],
    ],
    'delete' => ['allowed' => false, 'reason' => 'Archived'],
]

For page-level RBAC maps:

use Ayd\ApiResponseBase\Meta;
use Ayd\Authorize\ResourceAbilitiesResolver;

$meta = Meta::abilities(ResourceAbilitiesResolver::fromBooleanMap([
    'create' => $user->can('product.create'),
    'delete' => $user->can('product.delete'),
])->resolve());

Model Usage

use Ayd\Authorize\ResourceAbilitiesResolver;
use Ayd\Authorize\Concerns\HasResourceAbilities;
use Ayd\Authorize\Contracts\HasResourceAbilities as HasResourceAbilitiesContract;

class Product extends Model implements HasResourceAbilitiesContract
{
    use HasResourceAbilities;

    public function resolveAbilities(mixed $user = null): array|ResourceAbilitiesResolver
    {
        return $this->abilityResolver()
            ->allow('detail')
            ->fields('update', [
                'title',
                'quantity' => $this->isLocked()
                    ? ['allowed' => false, 'reason' => 'Quantity locked']
                    : true,
            ])
            ->action('delete', $user?->can('delete', $this) ?? false);
    }
}

Laravel API Resource Usage

use Illuminate\Http\Request;
use Illuminate\Http\Resources\Json\JsonResource;
use Ayd\Authorize\Laravel\Concerns\IncludesResourceAbilities;

class ProductResource extends JsonResource
{
    use IncludesResourceAbilities;

    public function toArray(Request $request): array
    {
        return [
            'id' => $this->id,
            'title' => $this->title,
            'abilities' => $this->resourceAbilities($request),
        ];
    }
}

The Laravel service provider is listed for package discovery and registers ResourceAbilitiesResolver as an empty singleton. It does not bind Ayd\ApiResponseBase\Contracts\AbilitiesResolver by default, so existing API responses will not suddenly emit empty meta.abilities.

Bind your own resolver if you want automatic meta.abilities injection through ayd/api-response-laravel:

use Ayd\ApiResponseBase\Contracts\AbilitiesResolver;

$this->app->bind(AbilitiesResolver::class, ProductPageAbilitiesResolver::class);

Hyperf Usage

The Hyperf ConfigProvider registers ResourceAbilitiesResolver as a dependency. Use the core builder in resources, transformers, or services:

use Ayd\Authorize\ResourceAbilities;

$abilities = ResourceAbilities::resolve($product, $user);

To integrate page-level abilities with ayd/api-response-hyperf, bind an implementation of Ayd\ApiResponseBase\Contracts\AbilitiesResolver in your Hyperf dependency config.

Design Notes

  • Backends should return decisions, not frontend policy logic.
  • Use meta.abilities for page-level RBAC.
  • Use data[*].abilities for row/resource-level ABAC.
  • Explicit field decisions override the * fallback.
  • The frontend should treat these decisions as UX hints only; backend policies remain the source of truth.