Role-based authorization for the Slim framework

3.0.0 2020-01-26 19:56 UTC

This package is auto-updated.

Last update: 2020-07-26 21:12:00 UTC


Build Status Test Coverage

Role-based authorization

Middleware for the Slim 4 framework.

For Slim 3 use the 1.0.0 release.


With Composer:

composer require tkhamez/slim-role-auth



use Tkhamez\Slim\RoleAuth\RoleMiddleware;
use Tkhamez\Slim\RoleAuth\SecureRouteMiddleware;

$app = Slim\Factory\AppFactory::create();

// Deny access if a required role is missing
$app->add(new SecureRouteMiddleware(
    new Slim\Psr7\Factory\ResponseFactory(), // any implementation of Psr\Http\Message\ResponseFactoryInterface
        // route pattern -> roles, first "starts-with" match is used
        '/secured/public' => ['any'],
        '/secured'        => ['user'],
    ['redirect_url' => null] // optionally add "Location" header instead of 403 status code

// Add roles to request attribute
$app->add(new RoleMiddleware(
    new App\RoleProvider(), // any implementation of Tkhamez\Slim\RoleAuth\RoleProviderInterface
    ['route_pattern' => ['/secured']] // optionally limit to these routes

// Add routing middleware last, so the `route` attribute from `$request` is available
// (this replaces the determineRouteBeforeAppMiddleware setting from Slim 3).
  • The SecureRouteMiddleware denies access to a route if the required role is missing in the roles request attribute.
  • The RoleMiddleware class adds the roles attribute to the request object with roles provided by the RoleProvider class.
  • You can add several role providers for different paths.

For more information, see the inline documentation for the classes.



  • Raised minimum PHP version to 7.2
  • Added a class constant for the name of the request attribute that holds the roles and changed its name.


Compatibility with Slim 4.4


Update for Slim 4.


First stable release.