ksfraser/ksf-fa-rbac

FrontAccounting adapter for ksfraser/rbac — DB repositories, user provisioning, and FA hook integration.

Maintainers

Package info

github.com/ksfraser/ksf_FA_RBAC

Type:fa-module

pkg:composer/ksfraser/ksf-fa-rbac

Statistics

Installs: 0

Dependents: 0

Suggesters: 0

Stars: 0

Open Issues: 0

Security

Advisories: 0

Aikido package health analysis

dev-master 2026-05-25 16:30 UTC

Requires

Requires (Dev)

GPL-3.0 213ed70dc63be3495163a633bb26aa2b28a33240

This package is auto-updated.

Last update: 2026-05-25 16:30:05 UTC

README

FrontAccounting adapter for the ksfraser/rbac framework-agnostic RBAC library.

Provides:

  • User provisioning — lazy creation of FA users in the CRM person registry on authenticate hook
  • Database repositories — concrete implementations of RBAC interfaces against FA tables
  • SQL JOIN fragments — enforces default-deny visibility at the query layer
  • Soft-delete + audit logging — all record mutations are logged immutably

Installation

  1. Copy this directory to /path/to/fa/modules/ksf_FA_RBAC
  2. In FA Setup → Extensions, activate KSF RBAC
  3. Composer dependencies are installed on first activation

Quick Start

Provisioning a User

When a user authenticates, the authenticate hook automatically:

  1. Creates a crm_persons row (if needed)
  2. Creates a crm_contacts row linking the person to their FA user account (type='user', entity_id=user_id)
  3. Creates a {userId}_individual team
  4. Adds the user as a member of their individual team

No manual action required.

Enforcing Visibility

Use buildAccessJoinSql() in any record-fetching query to enforce RBAC:

$db = new FaDbAdapter(TB_PREF);
$repo = new FaRecordAccessRepository($db);

$joinFragment = $repo->buildAccessJoinSql('calendar', 'entry', 'e');

$sql = "SELECT e.* FROM fa_cal_entries e"
     . " $joinFragment"
     . " WHERE e.start_date BETWEEN ? AND ?"
     . " ORDER BY e.start_date ASC";

$entries = $db->fetchAll($sql, [$userId, $start, $end]);

The JOIN fragment:

  • Restricts to teams the user is a member of
  • Enforces inactive=0 and expiry checks
  • Returns empty result set if user has no access (default deny)

Architecture

ksfraser/rbac (library)
    ↓
ksf_FA_RBAC (FA adapter) ← you are here
    ├─ FaDbAdapter
    ├─ FaTeamRepository
    ├─ FaRecordAccessRepository
    └─ UserProvisioner

All repositories implement interfaces from ksfraser/rbac, ensuring zero coupling to FA in the library.

Testing

cd /path/to/ksf_FA_RBAC
composer install --dev
vendor/bin/phpunit

Documentation

See AGENTS.md for detailed architecture, database schema, and implementation notes.