Access - RBAC for Laravel 4

My stab at an RBAC system for Laravel 4.

This is probably extremely query intensive and I have not made many attempts to optimize the number of queries ran/in-memory caching being done.

I wrote this with the intention of using it on small systems with a low number of concurrent users. It is made for systems where you need to control permissions on row-basis rather than just some generalized roles and permissions.

Contribution

Bug reports, feature suggestions and code improvements are highly welcome. If you make a pull request, do make sure that your changes pass the unit tests.

Use the github issue system! If you just want to have a chat, look for me in #laravel on freenode.

Installation

Requirements

• PHP 5.4 or higher
• Laravel 4.1 or higher

Install

composer require anlutro/access

Check packagist.org or the github tag list for the latest stable release, or use dev-master if you like living on the edge.

Copy migrations

Copy migrations from vendor/anlutro/access/src/migrations to your app's migration directory. Alternatively, run them with php artisan migrate --package anlutro/access if you just want to play around with the system - copying the migration files manually is recommended for production setups.

Create your user model

Because you probably want to put your own functions and fields on the User model/table, you create the user model yourself. There are two ways to do this and ensure it works with the RBAC system - inheritance (extending a base class) or traits.

class MyUser extends anlutro\Access\Models\User {}

class MyUser extends Eloquent implements anlutro\Access\Interfaces\SubjectInterface
{
	use anlutro\Access\Traits\UserSubject;
}

You are responsible for creating the user table. Remember to update your app/config/auth.php file to reflect your model.

Create one or more resource models

Again you can do this with inheritance or traits:

class MyResource extends anlutro\Access\Models\Resource {}

class MyResource extends Eloquent implements anlutro\Access\Interfaces\ResourceInterface
{
	use anlutro\Access\Traits\ResourceSubject;
}

You are responsible for creating any resource tables.

Usage

First, we need to create some permissions.

use anlutro\Access\Models\Permission;
$lowPermission = Permission::create(['name' => 'Normal Permission']);
$highPermission = Permission::create(['name' => 'High Level Permission']);

Then, let's assign some permissions to actions on one of our resource models. Resource actions with no permissions assigned to them are allowed by default, so be careful.

MyResource::addGlobalPermissionTo('show', $lowPermission);
MyResource::addGlobalPermissionTo('create', $lowPermission);
MyResource::addGlobalPermissionTo('create', $highPermission);
// MyResource::removeGlobalPermissionTo('create', $highPermission);

You can also assign permissions required on specific resources.

$resource = MyResource::first();
$res->addPermissionTo('create', $superHighPermission);
// $res->removePermissionTo('create', $superHighPermission);

Let's create a couple of roles. This step is optional, permissions can be added to users directly if you like - the syntax is exactly the same.

use anlutro\Access\Models\Role;
$userRole = Role::create(['name' => 'User Role']);
$adminRole = Role::create(['name' => 'Admin Role']);
$bannedRole = Role::create(['name' => 'Banned']);
$userRole->addPermission($lowPermission);
$adminRole->addPermission($lowPermission);
$adminRole->addPermission($highPermission);
$bannedRole->denyPermission($lowPermission);

Let's assign the user role to one of our users.

$user = User::first();
$user->addRole($userRole);
// $user->removeRole($userRole);

Now, the user should have access to show, but not create a MyResource.

$resource = MyResource::first();
var_dump( $user->hasPermissionTo('show', $resource) );
$resource = new MyResource;
var_dump( $user->hasPermissionTo('create', $resource) );

If we assign the user the admin role, however, he should have access to create as well.

$user->addRole($adminRole);
var_dump( $user->hasPermissionTo('create', $resource) );

Most of the time you'll be running these checks against the currently logged in user. The Access facade has some handy shorthand functions for this.

use anlutro\Access\Access;
var_dump( Access::allowed('show', $resource) );
var_dump( Access::denied('create', $resource) );

License

The contents of this repository is released under the MIT license.