sam-it / abac
Attribute based access control
Installs: 18 864
Dependents: 2
Suggesters: 0
Security: 0
Stars: 5
Watchers: 3
Forks: 4
Open Issues: 0
Requires
- php: >= 8.1
- nikic/iter: ^2
Requires (Dev)
- captainhook/plugin-composer: ^5.3
- phpstan/extension-installer: ^1.1
- phpstan/phpstan: ^1.6
- phpstan/phpstan-phpunit: ^1.1
- phpstan/phpstan-strict-rules: ^1.2
- phpunit/phpunit: >= 9
- ramsey/conventional-commits: ^1.3
- symplify/easy-coding-standard: ^10.2
- vimeo/psalm: ^4.22
README
A simple framework for implementing ABAC in your application.
Rules
Rules implement business logic, the input for rule execution consists of:
- source: The actor, usually the current user
- target: The subject, the entity that the actor wishes to act upon
- permission: The action the actor wishes to take
- environment: The environment should contain anything else the business rules may need
Rules are encouraged to do recursive access check. A typical rule could be WriteImpliesRead, since for most systems when you can write an object you can also read it.
Implementation could look like this:
public function execute( object $source, object $target, string $permission, Environment $environment, AccessChecker $accessChecker ): bool { return $permission === 'read' && $accessChecker->check($source, $target, 'write'); }
Environment
Consider a rule that allows access only during office hours. The current time should then be set in the environment. Reasoning behind this is that having 1 location for the environment allows for easy testing as well as a single source of truth.
Infinite loops
Rules can contain infinite loops, we track recursion depth to detect these loops.