matiosfree/l-rbac

The RBAC implementation for Laravel. Based on Laravel Abilities\Gates.

v0.1.1 2021-07-22 21:23 UTC

This package is auto-updated.

Last update: 2025-01-23 04:44:22 UTC


README

The RBAC implementation for Laravel. Based on Laravel Abilities\Gates (v5+). This package implements a General Hierarchical RBAC, following the implementation in Yii2

Latest Version on Packagist Software License Total Downloads

Installation

  1. The preferred way to install this package is through composer. Either run
php composer require matiosfree/l-rbac "*"

or add

"matiosfree/l-rbac": "*"

to the require section of your composer.json.

  1. Add the service provider to config/app.php.
MatiosFree\LRbac\RbacServiceProvider::class,
  1. Publish service provider with command:
php artisan vendor:publish --provider="MatiosFree\LRbac\RbacServiceProvider"
  1. Create Authorization class that extends MatiosFree\LRbac\RbacAuthorization:
<?php
namespace App\Classes;

use App\Classes\Rules\OwnPostRule;
use App\Classes\Rules\RoleRule;
use MatiosFree\LRbac\RbacAuthorization;

class Authorization extends RbacAuthorization {

    public function getDefaultRoles(): array {
        return ['user', 'manager'];
    }

    public function getRoles(): array {
        return [
            'manager' => [
                'description' => 'Manager Role', // optional property
                'ruleName' => RoleRule::class, // optional property that contains the rule for the role\action
                'children' => [ //optional property that contains chaining rules
                    'updatePost',
                    'deletePost',
                ]
            ],
            'user' => [
                'description' => 'User Role',
                'ruleName' => RoleRule::class,
                'children' => [
                    'updateOwnPost'
                ]
            ],
        ];
    }

    public function getPermissions(): array {
        return [
            'updatePost' => [
                'description' => 'Edit any posts'
            ],
            'updateOwnPost' => [
                'description' => 'Edit own post',
                'ruleName' => OwnPostRule::class,
                'children' => [
                    'updatePost' //updateOwnPost is part of updatePost action
                ],
            ],
            'deletePost' => [
                'description' => 'Delete any posts'
            ],
        ];
    }

}

NOTE! You might notice that updatePost action is part of updateOwnPost action. It means that if updatePost is not allowed the system will try to check the access to updateOwnPost as well. Because user might not have the access to update all posts, but he should be able to update his own posts. This class implements next hierarchy: RBAC hierarchy

  1. Create specific rules for all actions you need. Your rules must implement MatiosFree\LRbac\Contracts\IRbacRuleContract:

This rule checks the user role:

<?php
namespace App\Classes\Rules;


use MatiosFree\LRbac\Contracts\IRbacRuleContract;

class RoleRule implements IRbacRuleContract {

    public function execute($user, $item, $arguments): bool {
        return $user->role === $item->getName();
    }

}

This rule checks if the user is author of the post:

<?php
namespace App\Classes\Rules;


use MatiosFree\LRbac\Contracts\IRbacRuleContract;

class OwnPostRule implements IRbacRuleContract {

    public function execute($user, $item, $arguments): bool {
        return $user->id === $arguments['post']->author_id;
    }

}

Usage

In the code you can check the access totally same as described in the official laravel documentation

if (Gate::allows('updatePost', ['post' => $post])) {
    // The current user can update the post...
}


if (Gate::denies('updatePost', ['post' => $post])) {
    // The current user can't update the post...
}


if (Gate::forUser($user)->allows('updatePost', ['post' => $post])) {
    // The user can update the post...
}

//In user model

if ($request->user()->can('updatePost', ['post' => $post])) {
    // The current user can update the post...
}

if ($request->user()->cannot('updatePost', ['post' => $post])) {
    // The current user can't update the post...
}

//In controller:

$this->authorize('updatePost', ['post' => $post]);

// In blade templates


@can('updatePost', ['post' => $post])
    <!-- // The current user can update the post... -->
@else
    <!-- The current user can't update the post... -->
@endcan

A default role is a role that is implicitly assigned to all users. A default role is usually associated with a rule which determines if the role applies to the user being checked.

License

The MIT License (MIT). Please see License File for more information.