yiisoft / rbac
Yii Role-Based Access Control
Fund package maintenance!
Opencollective
yiisoft
Installs: 66 873
Dependents: 11
Suggesters: 0
Security: 0
Stars: 57
Watchers: 24
Forks: 23
Open Issues: 21
Requires
- php: ^7.4|^8.0
- yiisoft/access: ^1.0
- yiisoft/friendly-exception: ^1.1
Requires (Dev)
- phpunit/phpunit: ^9.5
- roave/infection-static-analysis-plugin: ^1.18
- spatie/phpunit-watcher: ^1.23
- vimeo/psalm: ^4.30|^5.3
Suggests
- yiisoft/rbac-cycle-db: For using Cycle as a storage
- yiisoft/rbac-db: For using Yii Database as a storage
- yiisoft/rbac-php: For using PHP files as a storage
- yiisoft/rbac-rules-container: To create rules via Yii Factory
This package is auto-updated.
Last update: 2023-09-28 08:45:27 UTC
README
Yii Role-Based Access Control
This package provides RBAC (Role-Based Access Control) library. It is used in Yii Framework but is usable separately as well.
Features
- Flexible RBAC hierarchy with roles, permissions and rules.
- Role inheritance.
- Data could be passed to rules when checking access.
- Multiple storage adapters.
- Separate storages could be used for user-role assignments and role hierarchy.
- API to manage RBAC hierarchy.
Requirements
- PHP 8.0 or higher.
Installation
The package is installed with composer:
composer require yiisoft/rbac
One of the following storages could be installed as well:
- PHP storage - PHP file storage;
- DB storage - database storage based on Yii DB;
- Cycle DB storage - database storage based on Cycle DBAL.
Also, there is a rule factory implementation - Rules Container (based on Yii Factory).
All these can be replaced with custom implementations.
General usage
Setting up manager
First step when using RBAC is to configure an instance of Manager
:
use Yiisoft\Rbac\AssignmentsStorageInterface; use Yiisoft\Rbac\ItemsStorageInterface; use Yiisoft\Rbac\RuleFactoryInterface; /** * @var ItemsStorageInterface $itemsStorage * @var AssignmentsStorageInterface $assignmentsStorage * @var RuleFactoryInterface $ruleFactory */ $manager = new Manager($itemsStorage, $assignmentsStorage, $ruleFactory);
It requires specifying the following dependencies:
- Items storage (hierarchy itself).
- Assignments storage where user IDs are mapped to roles.
- Rule factory. Given a rule name stored in items storage it can create an instance of
Rule
.
Here are a few tips for choosing storage backend:
- Roles and permissions could usually be considered "semi-static", as they only change when you update your application code, so it may make sense to use PHP storage for it.
- Assignments, on the other hand, could be considered "dynamic". They change more often: when creating a new user, or when updating user role from within your application. It may make sense to use database storage for assignments.
Managing RBAC hierarchy
Before being able to check for permissions, a RBAC hierarchy must be defined. Usually it is done via either console commands or migrations. Hierarchy consists of permissions, roles and rules:
- Permissions are granules of access such as "create a post" or "read a post".
- A role is what is assigned to the user. Role is granted one or more permissions. Typical roles are "manager" or "admin".
- Rule is a PHP class that given some data answers a single question "given the data, has the user the permission asked for".
In order to create a permission, use the following code:
use Yiisoft\Rbac\ManagerInterface; use Yiisoft\Rbac\Permission; /** @var ManagerInterface $manager */ $manager->addPermission(new Permission('createPost')); $manager->addPermission(new Permission('readPost')); $manager->addPermission(new Permission('deletePost'));
To add some roles:
use Yiisoft\Rbac\ManagerInterface; use Yiisoft\Rbac\Role; /** @var ManagerInterface $manager */ $manager->addRole(new Role('author')); $manager->addRole(new Role('reader'));
Next, we need to attach permissions to roles:
use Yiisoft\Rbac\ManagerInterface; /** @var ManagerInterface $manager */ $manager->addChild('reader', 'readPost'); $manager->addChild('author', 'createPost'); $manager->addChild('author', 'deletePost'); $manager->addChild('author', 'reader');
Hierarchy for the example above:
flowchart LR createPost:::permission ---> author:::role readPost:::permission --> reader:::role --> author:::role deletePost:::permission ---> author:::role classDef permission fill:#fc0,stroke:#000,color:#000 classDef role fill:#9c0,stroke:#000,color:#000
Sometimes, basic permissions are not enough. In this case, rules are helpful. Rules are PHP classes that could be added to permissions and roles:
use Yiisoft\Rbac\RuleInterface; class ActionRule implements RuleInterface { public function execute(string $userId, Item $item, array $parameters = []): bool { return isset($parameters['action']) && $parameters['action'] === 'home'; } }
With rule added, the role or permission is considered only when rule's execute()
method returns true
.
The parameters are:
$userId
is user id to check permission against;$item
is RBAC hierarchy item that rule is attached to;$parameters
is extra data supplied when checking for permission.
To use rules with Manager
, specify their names with added permissions or roles:
use Yiisoft\Rbac\ManagerInterface; use Yiisoft\Rbac\Permission; /** @var ManagerInterface $manager */ $manager->addPermission( (new Permission('viewList'))->withRuleName('action_rule'), ); // or $manager->addRole( (new Role('NewYearMaintainer'))->withRuleName('new_year_only_rule') );
The rule names action_rule
and new_year_only_rule
are resolved to ActionRule
and NewYearOnlyRule
class instances
accordingly via rule factory.
If you need to aggregate multiple rules at once, use composite rule:
use Yiisoft\Rbac\CompositeRule; // Fresh and owned $compositeRule = new CompositeRule(CompositeRule::AND, [new FreshRule(), new OwnedRule()]); // Fresh or owned $compositeRule = new CompositeRule(CompositeRule::OR, [new FreshRule(), new OwnedRule()]);
Assigning roles to users
In order to assign a certain role to a user with a given ID, use the following code:
use Yiisoft\Rbac\ManagerInterface; /** @var ManagerInterface $manager */ $userId = 100; $manager->assign('author', $userId);
It could be done in an admin panel, via console command, or it could be built into the application business logic itself.
Check for permission
In order to check for permission, obtain an instance of Yiisoft\Access\AccessCheckerInterface
and use it:
use Psr\Http\Message\ResponseInterface; use Yiisoft\Access\AccessCheckerInterface; public function actionCreate(AccessCheckerInterface $accessChecker): ResponseInterface { $userId = getUserId(); if ($accessChecker->userHasPermission($userId, 'createPost')) { // author has permission to create post } }
Sometimes you need to add guest-only permission, which is not assigned to any user ID. In this case, you can specify a role which is assigned to guest user:
use Yiisoft\Access\AccessCheckerInterface; use Yiisoft\Rbac\Permission; use Yiisoft\Rbac\Role; /** * @var ManagerInterface $manager * @var AccessCheckerInterface $accessChecker */ $manager->setGuestRoleName('guest'); $manager->addPermission(new Permission('signup')); $manager->addRole(new Role('guest')); $manager->addChild('guest', 'signup'); $guestId = null; if ($accessChecker->userHasPermission($guestId, 'signup')) { // Guest has "signup" permission. }
If there is a rule involved, you may pass extra parameters:
use Yiisoft\Rbac\ManagerInterface; /** @var ManagerInterface $manager */ $anotherUserId = 103; if (!$manager->userHasPermission($anotherUserId, 'viewList', ['action' => 'home'])) { echo 'reader hasn\'t "index" permission'; }
Testing
Unit testing
The package is tested with PHPUnit. To run tests:
./vendor/bin/phpunit
Mutation testing
The package tests are checked with Infection mutation framework with Infection Static Analysis Plugin. To run it:
./vendor/bin/roave-infection-static-analysis-plugin
Static analysis
The code is statically analyzed with Psalm. To run static analysis:
./vendor/bin/psalm
License
The Yii Dependency Injection is free software. It is released under the terms of the BSD License.
Please see LICENSE
for more information.
Maintained by Yii Software.