Download the PHP package mimmi20/mezzio-generic-authorization-rbac without Composer
On this page you can find all versions of the php package mimmi20/mezzio-generic-authorization-rbac. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download mimmi20/mezzio-generic-authorization-rbac
More information about mimmi20/mezzio-generic-authorization-rbac
Files in mimmi20/mezzio-generic-authorization-rbac
Package mezzio-generic-authorization-rbac
Short Description Provides a laminas-permissions-rbac adapter for mezzio-generic-authorization.
License MIT
Homepage https://github.com/mimmi20/mezzio-generic-authorization-rbac
FAQ
Example:
In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
- Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
- To use Composer is sometimes complicated. Especially for beginners.
- Composer needs much resources. Sometimes they are not available on a simple webspace.
- If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
- Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Informations about the package mezzio-generic-authorization-rbac
mezzio-generic-authorization-rbac
Code Status
This library provides a laminas-rbac adapter for mezzio-generic-authorization.
Installation
You can install the mezzio-generic-authorization-rbac library with Composer:
Introduction
This component provides Role-Based Access Control (RBAC) authorization abstraction for the mezzio-generic-authorization library.
RBAC is based on the idea of roles. In a web application, users have an identity (e.g. username, email, etc). Each identified user then has one or more roles (e.g. admin, editor, guest). Each role has a permission to perform one or more actions (e.g. access an URL, execute specific web API calls).
In a typical RBAC system:
- An identity has one or more roles.
- A role requests access to a permission.
- A permission is given to a role.
Thus, RBAC has the following model:
- Many-to-many relationship between identities and roles.
- Many-to-many relationship between roles and permissions.
- Roles can have a parent role.
The first requirement for an RBAC system is identities. In our scenario, the
users are generated by an authentication system, provided by
mezzio-authentication.
That library provides a PSR-7 request attribute named
Mezzio\Authentication\UserInterface when a user is authenticated.
The RBAC system uses this instance to get information about the user's identity.
Configure an RBAC system
You can configure your RBAC using a configuration file, as follows:
In the above example, we designed an RBAC system with 3 roles: administator,
editor, and contributor. We defined a hierarchy of roles as follows:
administratorhas no parent role.editorhasadministratoras a parent. That meansadministratorinherits the permissions of theeditor.contributorhaseditoras a parent. That meanseditorinherits the permissions ofcontributor, and following the chain,administatorinherits the permissions ofcontributor.
For each role, we specified an array of permissions. As you can notice, a
permission is just a string; it can represent anything. In our implementation,
this string represents a route name. That means the contributor role can
access the routes admin.dashboard and admin.posts but cannot access the
routes admin.publish (assigned to editor role) and admin.settings
(assigned to administrator).
If you want to change the authorization logic for each permission, you can write
your own Mimmi20\Mezzio\GenericAuthorization\AuthorizationInterface implementation.
That interface defines the following method:
where $role is the role, $resource is the resource, $privilege is an privilege and $request is the PSR-7 HTTP request to authorize.
This library uses the laminas/laminas-permissions-rbac library to implement the RBAC system. Privileges are not supported in this RBAC implementation. If you want to know more about the usage of this library, read the blog post Manage permissions with laminas-permissions-rbac.
Dynamic Assertion
In some cases you will need to authorize a role based on a specific HTTP request. For instance, imagine that you have an "editor" role that can add/update/delete a page in a Content Management System (CMS). We want to prevent an "editor" from modifying pages they have not created.
These types of authorization are called dynamic assertions
and are implemented via the Laminas\Permissions\Rbac\AssertionInterface of
laminas-permissions-rbac.
In order to use it, this package provides LaminasRbacAssertionInterface,
which extends Laminas\Permissions\Rbac\AssertionInterface:
The Laminas\Permissions\Rbac\AssertionInterface defines the following:
Going back to our use case, we can build a class to manage the "editor" authorization requirements, as follows:
Where Article is a class that checks if the identified user is the owner of
the article referenced in the HTTP request.
If you manage articles using a SQL database, the implementation of
isUserOwner() might look like the following:
To pass the Article dependency to your assertion, you can use a Factory class
that generates the EditorAuth class instance, as follows:
And configure the service container to use EditorAuthFactory to point to
EditorAuth, using the following configuration:
License
This package is licensed using the MIT License.
Please have a look at LICENSE.md.
All versions of mezzio-generic-authorization-rbac with dependencies
laminas/laminas-permissions-rbac Version ^3.7.0
mimmi20/mezzio-generic-authorization Version ^3.0.7
psr/container Version ^1.1.2 || ^2.0.2
psr/http-message Version ^1.0.1 || ^2.0