Download the PHP package malinichevvv/yii2-access without Composer
On this page you can find all versions of the php package malinichevvv/yii2-access. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download malinichevvv/yii2-access
More information about malinichevvv/yii2-access
Files in malinichevvv/yii2-access
Package yii2-access
Short Description Powerful, flexible RBAC extension for Yii2 with role inheritance, dynamic rules, PHP 8 attributes, caching and audit log
License MIT
Informations about the package yii2-access
yii2-access
A powerful, flexible RBAC extension for Yii2 with:
- Hierarchical role inheritance — recursive CTE for MySQL 8+ / PostgreSQL, automatic fallback for older MySQL
- Permission groups — organise permissions by module for clean UI trees
- Dynamic rules — attach a callable to any permission for contextual access decisions
- Two-layer caching — per-request in-memory pool + configurable persistent cache (Redis, etc.) with tag-based invalidation
- PHP 8 attributes —
#[RequirePermission]/#[RequireRole]for declarative, zero-boilerplate controller guards - Behaviors —
AccessControlBehavior(controller) andUserAccessBehavior(User model) - Config-based filter —
PermissionFilterfor teams who prefer rules inbehaviors() - Static facade —
Am::checkAccess()for concise one-liner checks anywhere - Optional audit log — append-only table for every access-changing operation
- Multi-tenant — optional
company_idcolumn scopes roles per tenant - Full AR models — for all tables, ready for use in admin UIs
- Two migrations — core tables + audit log (can be applied independently)
Requirements
| Requirement | Version |
|---|---|
| PHP | ≥ 8.1 |
| Yii2 | ~2.0 |
Installation
Run the migrations:
Or register the path in your console config:
Configuration
The extension auto-registers the access component via bootstrap. You can override it:
Basic Usage
Via static facade
Via component
PHP 8 Attributes (Recommended)
Attach AccessControlBehavior to your controller, then annotate actions:
Class-level attributes apply to all actions in the controller:
Config-based Filter
For teams that prefer Yii2's declarative style:
User Model Behavior
Add UserAccessBehavior to your User ActiveRecord to call access checks directly on the model:
Managing Roles & Permissions
Role Inheritance
Permissions flow upward: a child role inherits all permissions of its parent roles.
Dynamic Rules
Attach a callable to any permission for contextual access decisions evaluated after the static permission check:
Multi-Tenant Mode
Enable multiTenant = true to scope roles per company:
Analytics & Comparison
Console Commands
Register the controller in your console config once:
| Command | Description |
|---|---|
php yii access/flush-cache |
Invalidate all access:permissions and access:roles cache tags |
php yii access/list-roles |
List all roles with system/default flags |
php yii access/list-roles --company-id=5 |
Roles for a specific company (multi-tenant) |
php yii access/list-permissions |
List all permissions grouped by module |
php yii access/list-permissions --module=crm |
Permissions for a specific module |
php yii access/check 42 order.create |
Check if user #42 has order.create |
php yii access/user-roles 42 |
Show direct and inherited roles for user #42 |
php yii access/user-permissions 42 |
Show all permissions for user #42 with sources |
Configurable Cache TTLs
Cache durations are instance properties, not hardcoded constants, so you can tune them per environment:
The constants (AccessManager::CACHE_DURATION_*) remain available as documented defaults
and can be referenced in your own code.
Events
The AccessManager component extends yii\base\Component and fires events at every key point.
Attach listeners anywhere in your application bootstrap or module init().
Access check events
| Constant | Class | When |
|---|---|---|
EVENT_BEFORE_CHECK_ACCESS |
AccessCheckEvent |
Before any permission check; can short-circuit |
EVENT_AFTER_CHECK_ACCESS |
AccessCheckEvent |
After every check; carries $result |
EVENT_ACCESS_DENIED |
AccessCheckEvent |
Only when the check fails |
Super-admin bypass (short-circuit pattern):
Access denied logging:
Role events
| Constant | Cancellable | Properties on event |
|---|---|---|
EVENT_BEFORE_ASSIGN_ROLE |
yes | userId, roleId |
EVENT_AFTER_ASSIGN_ROLE |
— | userId, roleId |
EVENT_BEFORE_REVOKE_ROLE |
yes | userId, roleId |
EVENT_AFTER_REVOKE_ROLE |
— | userId, roleId |
EVENT_BEFORE_CREATE_ROLE |
yes | data |
EVENT_AFTER_CREATE_ROLE |
— | roleId, createdRoleId, data |
EVENT_BEFORE_UPDATE_ROLE |
yes | roleId, data |
EVENT_AFTER_UPDATE_ROLE |
— | roleId, data |
EVENT_BEFORE_DELETE_ROLE |
yes | roleId |
EVENT_AFTER_DELETE_ROLE |
— | roleId |
EVENT_BEFORE_ADD_ROLE_INHERITANCE |
yes | parentRoleId, childRoleId |
EVENT_AFTER_ADD_ROLE_INHERITANCE |
— | parentRoleId, childRoleId |
EVENT_BEFORE_REMOVE_ROLE_INHERITANCE |
yes | parentRoleId, childRoleId |
EVENT_AFTER_REMOVE_ROLE_INHERITANCE |
— | parentRoleId, childRoleId |
Cancellable example — guard system roles from deletion:
After-event example — notify a user when their role changes:
Permission events
| Constant | Cancellable | Properties on event |
|---|---|---|
EVENT_BEFORE_CREATE_PERMISSION |
yes | permissionCode, data |
EVENT_AFTER_CREATE_PERMISSION |
— | permissionId, createdPermissionId, permissionCode, data |
EVENT_BEFORE_UPDATE_PERMISSION |
yes | permissionId, data |
EVENT_AFTER_UPDATE_PERMISSION |
— | permissionId, data |
EVENT_BEFORE_DELETE_PERMISSION |
yes | permissionId |
EVENT_AFTER_DELETE_PERMISSION |
— | permissionId |
EVENT_BEFORE_ADD_PERMISSION_TO_ROLE |
yes | roleId, permissionId |
EVENT_AFTER_ADD_PERMISSION_TO_ROLE |
— | roleId, permissionId |
EVENT_BEFORE_REMOVE_PERMISSION_FROM_ROLE |
yes | roleId, permissionId |
EVENT_AFTER_REMOVE_PERMISSION_FROM_ROLE |
— | roleId, permissionId |
Auto-grant to super-admin on permission creation:
Block sensitive permission assignment:
Detaching listeners
Database Schema
| Table | Description |
|---|---|
access_permission_groups |
Module-based groups for organising permissions |
access_permissions |
Individual permission codes |
access_roles |
Role definitions (optionally company-scoped) |
access_role_permissions |
Role ↔ permission pivot |
access_role_includes |
Role inheritance (parent → child) |
access_user_roles |
User ↔ role pivot |
access_dynamic_rules |
Callable-based contextual rules per permission |
access_audit_log |
Append-only audit trail (separate migration) |
Caching
The component uses a two-layer cache strategy:
- Per-request in-memory pool — eliminates repeated DB/cache round-trips within a single HTTP request
- Persistent cache (Redis, Memcache, etc.) — shared across requests with tag-based invalidation
All mutating operations automatically invalidate the relevant cache tags. You can also clear the request pool manually (e.g. in tests):
To disable caching entirely:
Audit Log
When enableAuditLog = true (default), every access-changing operation writes a row to access_audit_log. The table has no foreign keys to users so the log survives user deletion.
To disable:
i18n
Error messages are translatable. Add to your i18n config:
Supported languages: en, ru, uk. Contributions for other languages are welcome.
License
MIT