Skip to content

imarc/auth

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

32 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Imarc's RBAC and ACL Authorization

This project combines more traditional RBAC methods with user centric and dynamic overrides for a nice middle ground. It allows you to define a role based access control list as well as create entity or model level instance overrides and dynamic logic for more complex checks.

ACLs

Creating an ACL

$acl = new Auth\ACL();

Adding a Role Access

  • First parameter is the name of the role (case insenstive)
  • Second parameter is a class of objects or string (case insenstive)
  • Third parameter is array of allowed actions
$acl->allow('Admin', 'User', ['create', 'read', 'update', 'delete']);

Aliasing Access

$acl->alias('manage', ['create', 'read', 'update', 'delete']);

Adding Using Alias

$acl->allow('Admin', 'Article', ['manage']);

Authorization Manager

You can create an authorization manager for your authorized user. The object you pass to the constructor must implement the Auth\EntityInterface which contains two methods:

  • getRoles() - returns an array of all the roles the object/entity contains
  • getPermissions() - returns user specific ACLs which overload roles

Creating the Manager

$manager = new Auth\Manager($user);

Adding an ACL

$manager->add($acl)

Checking the Managed Entity's Role

$manager->is('Admin');

Checking the Managed Entity's Effective Permission

$manager->can('create', 'Article');

Or with an object of matching class:

$manager->can('create', $article);

Checking Entities Implementing AuthInterface

The AuthInterface provides a way in which entities can provide custom logic to authorize managed entities against themselves. Using the previous example:

$manager->can('create', $article);

If the $article parameter is an object implementing AuthInterface the manager will call the can() method on it passing the manager instance as the first parameter, and the permission which is being checked as the second. The article can then do something such as the following:

public function can(Manager $manager, $permission)
{
	if ($manager->has($permission, $this)) {
		return TRUE;
	}

	return $manager->entity == $this->getOwner();
}

In this example the entity checks to see if its owner is the managed entity to provide permission for any action which is not otherwise granted.

Code Check and Testing

Run Analysis:

php vendor/bin/phpstan -l7 analyse src/

Run Tests:

php vendor/bin/phpunit --bootstrap vendor/autoload.php test/cases

About

iMarc's RBAC and ACL Authorization

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages