imarc/auth

RBAC and ACLs

Maintainers

Details

github.com/imarc/auth

Source

Issues

Installs: 9 035

Dependents: 1

Suggesters: 0

Security: 0

Stars: 4

Watchers: 5

Forks: 2

Open Issues: 0

2.0-beta20 2023-10-20 04:04 UTC

Requires

  • php: >=7.2

Requires (Dev)

MIT be7f0823d67870854ddde13d08255400baad722a

  • Matthew J. Sahagian <matt.woop@imarc.com>
  • Avery Tam <avery.woop@imarc.net>
  • Jeff Turcotte <jeff.woop@imarc.net>

authaclrbac

This package is auto-updated.

Last update: 2024-11-20 06:20:50 UTC

README

This project combines more traditional RBAC methods with user centric and dynamic overrides for a nice middle ground. It allows you to define a role based access control list as well as create entity or model level instance overrides and dynamic logic for more complex checks.

ACLs

Creating an ACL

$acl = new Auth\ACL();

Adding a Role Access

  • First parameter is the name of the role (case insenstive)
  • Second parameter is a class of objects or string (case insenstive)
  • Third parameter is array of allowed actions
$acl->allow('Admin', 'User', ['create', 'read', 'update', 'delete']);

Aliasing Access

$acl->alias('manage', ['create', 'read', 'update', 'delete']);

Adding Using Alias

$acl->allow('Admin', 'Article', ['manage']);

Authorization Manager

You can create an authorization manager for your authorized user. The object you pass to the constructor must implement the Auth\EntityInterface which contains two methods:

  • getRoles() - returns an array of all the roles the object/entity contains
  • getPermissions() - returns user specific ACLs which overload roles

Creating the Manager

$manager = new Auth\Manager($user);

Adding an ACL

$manager->add($acl)

Checking the Managed Entity's Role

$manager->is('Admin');

Checking the Managed Entity's Effective Permission

$manager->can('create', 'Article');

Or with an object of matching class:

$manager->can('create', $article);

Checking Entities Implementing AuthInterface

The AuthInterface provides a way in which entities can provide custom logic to authorize managed entities against themselves. Using the previous example:

$manager->can('create', $article);

If the $article parameter is an object implementing AuthInterface the manager will call the can() method on it passing the manager instance as the first parameter, and the permission which is being checked as the second. The article can then do something such as the following:

public function can(Manager $manager, $permission)
{
	if ($manager->has($permission, $this)) {
		return TRUE;
	}

	return $manager->entity == $this->getOwner();
}

In this example the entity checks to see if its owner is the managed entity to provide permission for any action which is not otherwise granted.

Code Check and Testing

Run Analysis:

php vendor/bin/phpstan -l7 analyse src/

Run Tests:

php vendor/bin/phpunit --bootstrap vendor/autoload.php test/cases