Enforcer is a simple lightweight acl plugin for CakePHP

Installs: 6

Dependents: 0

Suggesters: 0

Security: 0

Stars: 3

Watchers: 1

Forks: 0

Open Issues: 0


1.3 2021-10-24 13:59 UTC

This package is auto-updated.

Last update: 2023-01-16 22:22:35 UTC


Enforcer is a simple lightweight acl plugin for CakePHP 3.x


  • CakePHP 3.x
  • PHP 7.2 >

Installing Using Composer

cd to the root of your app folder (where the composer.json file is) and run the following command:

composer require zunnu/enforcer

Then load the plugin by using CakePHP's console:

./bin/cake plugin load Enforcer

Next create the tables:

./bin/cake migrations migrate -p Enforcer


You will need to modify your src/Controller/AppController.php and load the Enforcer component in the initialize() function

$this->loadComponent('Enforcer.Enforcer', [
    'unauthorizedRedirect' => [
        'plugin' => false,
        'controller' => 'Users',
        'action' => 'login',
        'prefix' => false
    'protectionMode' => 'everything' // everything | filters

The unauthorizedRedirect will tell Enforcer where to redirect if the user has permission error. The protectionMode will tell Enforcer how to handle permissions.

protectionModes README
everything Enforcer will automaticly try to protect all public controller function
filters Enforcer will protect the controllers where the protection is called from the beforeFilter()

If the protectionMode filters is enabled you need to add the

public function beforeFilter(Event $event) {
    // permission load
    return $this->Enforcer->hasAccess($this->request, $this->Auth->user());


The migrations will create tree different groups. You can add, modify or delete groups by going to http://app-address/enforcer/admin/groups/index

admin All powerfull
user Default user group
guest Site visitors

The default admin group should be able to access the permissions page. You should be able to access the page using this url http://app-url/enforcer/admin/permissions Enforcer permissions
Enforcer permissions

If the request is ajax the permission error will look like this: Enforcer permissions


  • User specific permissions
  • Groupped controllers. Like the user only has access to billing


Licensed under The MIT License.