Download the PHP package xfra35/f3-access without Composer

On this page you can find all versions of the php package xfra35/f3-access. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?

Informations about the package f3-access

Access

Route access control for the PHP Fat-Free Framework

This plugin for Fat-Free Framework helps you control access to your routes.

Requirements

This plugin takes care about authorization, not authentication. So before using it, make sure you have a way to identify your app users.

Installation

To install this plugin, just copy the lib/access.php file into your lib/ or your AUTOLOAD folder.

Basic usage

Instantiate the plugin and define a default access policy (allow or deny) for your routes:

Then define a set of rules to protect a specific route:

or a group of routes:

And call the authorize() method where it fits your app best (before or after $f3->run()):

That's it!

We have restricted access to /secured.htm and to all the URIs starting by /protected. Any user not identified as "admin" will get an error.

Bear in mind that "admin" can be anything meaningful to your application: a user name, group, role, right, etc..

So instead of "admin", we could have granted access to "[email protected]" or "admin-role" or "Can access admin area".

For this reason, from now on we will call "admin" a subject.

Multiple subjects can be addressed by a single rule:

NB: subject names can contain any character but commas.

Advanced usage

Authorization failure

A denied access will result in a 403 error if the subject is identified or a 401 if it is not. In our first example:

You can provide a callback to the authorize() method, which will be triggered when authorization fails:

The default behaviour (403/401) is then skipped, unless the fallback returns FALSE.

HTTP methods access control

Route permissions can be defined at HTTP method level:

In this example, only "admin" can modify /path. Any other subject can only GET it.

IMPORTANT: providing no HTTP method is equivalent to providing all HTTP methods (unless you're using named routes, see below).

E.g:

Simple permission check

If you need to check access permissions to a route for a specific subject, use the granted() method:

This method performs a simple check and doesn't take any action (no error thrown).

Rules processing order

Path precedence

Rules are sorted from the most specific to the least specific path before being processed. So the following rules:

are processed in the following order:

IMPORTANT: the first rule for which the path matches applies. If no rule matches, the default policy applies.

Subject precedence

Specific subject rules are processed before global rules. So the following rules:

are processed in the following order:

Routes uniqueness

Rules are indexed by subject name and routes, so you can't have two rules for the same subject and the same route. If the case arises, the second rule erases the first:

In this example:

Path case insensitivity

For security purposes, paths are considered case insensitive, no matter the value of the framework CASELESS variable.

Therefore, the following rules are equivalent:

Wildcards and tokens

Wildcards can be used at various places:

NB: wildcards match empty strings, so /admin* match /admin.

Routes tokens are also supported, so $f3->allow('/blog/@id/@slug') is recognized.

Since the plugin doesn't make use of the token names, you can as well drop them: $f3->allow('/blog/@/@')

In other words, @ is a wildcard for any character which is not a forward slash, whereas * matches everything, including forward slashes.

IMPORTANT: read the Pitfall section.

Named routes

If you're using named routes, you can directly refer to their aliases: $f3->allow('@blog_entry');

In that case, providing no HTTP method is equivalent to providing the methods which are actually mapped to the given route. See:

Ini configuration

Configuration is possible from within an .ini file, using the ACCESS variable.

Rules should be prefixed by the keywords "allow" or "deny" (case-insensitive):

It works with HTTP verbs as well:

Practical configuration examples

Secure an admin area

Secure MVC-like routes

Secure RMR-like routes

Secure a members-only site

Pitfall

Static routes overriding dynamic routes

Be careful when having static routes overriding dynamic routes.

Although not advised, the following setup is made possible by the framework:

From an authorization point of view, we may be tempted to write:

Doing so, we might think that the edit_role can't access the /admin/user/new path, but this is an illusion.

Indeed, the @id token match any string, including new.

To be convinced of this, just think that there's no difference between /admin/user/@id and /admin/user/@anything.

So in order to achieve a complete separation of roles, the correct configuration would be, in this situation:

A clearer setup would be:

API

policy( $default=NULL )

Get/set the default policy (default='allow')

allow( $route, $subjects='' )

Allow specified subject(s) to access a given route

deny( $route, $subjects='' )

Deny specified subject(s) access to a given route

granted( $route, $subject='' )

Return TRUE if the given subject is granted access to the given route

NB: you can also check access against a set of subjects. This is useful for example if you've implemented a system of user roles or groups:

authorize( $subject='', $ondeny=NULL )

Return TRUE if the given subject is granted access to the current route

If $subject is not provided, authorization is performed against "any" subject.

$ondeny should be a valid F3 callback (either a PHP callable or a string)

See here for details about what happens when authorization fails.

NB: you can also perform authorization against a set of subjects. This is useful for example if you've implemented a system of user roles or groups: just pass the array of roles/groups to authorize a user. E.g:

Potential improvements


All versions of f3-access with dependencies

PHP Build Version
Package Version
Requires bcosca/fatfree-core Version 3.*
Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package xfra35/f3-access contains the following files

Loading the files please wait ....