klsoft / yii3-middleware-authz
The package provides Yii 3 authorization middleware
Installs: 0
Dependents: 0
Suggesters: 0
Security: 0
Stars: 0
Watchers: 0
Forks: 0
Open Issues: 0
pkg:composer/klsoft/yii3-middleware-authz
Requires
- php: >=8.1
- psr/container: ^1.0 || ^2.0
- psr/http-factory: ^1.0
- psr/http-message: ^1.0 || ^2.0
- psr/http-server-handler: ^1.0
- psr/http-server-middleware: ^1.0
- yiisoft/http: ^1.2
- yiisoft/rbac: ^2.1.0
- yiisoft/router: ^4
- yiisoft/user: ^2.3.1
README
The package provides Yii 3 authorization middleware. It is intended for use with web applications. For authorization of a RESTful web service, use the YII3-KEYCLOAK-AUTHZ package instead.
Requirement
- PHP 8.1 or higher.
Installation
composer require klsoft/yii3-middleware-authz
How to use
1. Configure Authentication
Example:
use Yiisoft\Session\Session; use Yiisoft\Session\SessionInterface; use Yiisoft\Auth\IdentityRepositoryInterface; use Yiisoft\Definitions\Reference; use Yiisoft\Auth\AuthenticationMethodInterface; use Yiisoft\User\Method\WebAuth; return [ // ... SessionInterface::class => [ 'class' => Session::class, '__construct()' => [ $params['session']['options'] ?? [], $params['session']['handler'] ?? null, ], ], IdentityRepositoryInterface::class => IdentityRepository::class, CurrentUser::class => [ 'withSession()' => [Reference::to(SessionInterface::class)] ], AuthenticationMethodInterface::class => WebAuth::class, ];
2. Configure RBAC
3. Add the forbidden URL to param.php
Example:
return [ 'forbiddenUrl' => '/forbidden', ];
4. Configure Authorization
Example:
use Klsoft\Yii3MiddlewareAuthz\Middleware\Authorization; return [ // ... Klsoft\Yii3MiddlewareAuthz\Middleware\Authorization::class => [ 'class' => Klsoft\Yii3MiddlewareAuthz\Middleware\Authorization::class, '__construct()' => [ 'forbiddenUrl' => $params['forbiddenUrl'] ], ], ];
5. Apply permissions.
5.1. To an action.
First, add Authorization to the application middlewares:
use Yiisoft\Auth\Middleware\Authentication; use Klsoft\Yii3MiddlewareAuthz\Middleware\Authorization; Application::class => [ '__construct()' => [ 'dispatcher' => DynamicReference::to([ 'class' => MiddlewareDispatcher::class, 'withMiddlewares()' => [ [ ErrorCatcher::class, SessionMiddleware::class, Authentication::class, Authorization::class, CsrfTokenMiddleware::class, FormatDataResponse::class, RequestCatcherMiddleware::class, Router::class, ], ], ]), 'fallbackHandler' => Reference::to(NotFoundHandler::class), ], ],
Then, apply permissions to an action:
use Psr\Http\Message\ServerRequestInterface; use Psr\Http\Message\ResponseInterface; use Klsoft\Yii3MiddlewareAuthz\Permission; final class PostController { public function __construct(private PostPresenterInterface $postPresenter) { } #[Permission('createPost')] public function create(ServerRequestInterface $request): ResponseInterface { return $this->postPresenter->createPost($request); } }
Example of a permission with an executing parameter value that would be passed to the rules associated with the roles:
#[Permission(
'updatePost',
['post' => [
'__container_entry_identifier',
'postRepository',
'getCurrentPost',
['__request']]
]
)]
public function update(#[RouteArgument('id')] int $id): ResponseInterface
5.2. To a route.
First, define the set of permissions:
use Psr\Container\ContainerInterface; use Klsoft\Yii3MiddlewareAuthz\Middleware\Authorization; use Klsoft\Yii3MiddlewareAuthz\Permission; 'CreatePostPermission' => static function (ContainerInterface $container) { return $container ->get(Authorization::class) ->withPermissions([ new Permission('createPost']) ]); }
Then, you can apply this set to a route:
Route::post('/post/create') ->middleware('CreatePostPermission') ->action([PostController::class, 'create']) ->name('post/create')