{"id":20674712,"url":"https://github.com/olivier127/rbac-bundle","last_synced_at":"2025-10-10T21:11:49.548Z","repository":{"id":38828326,"uuid":"471298346","full_name":"Olivier127/rbac-bundle","owner":"Olivier127","description":"PhpRBACBundle is symfony 7 bundle with full access control library for PHP. It provides NIST Level 2 Standard Hierarchical Role Based Access Control as an easy to use library to PHP developers. It's a rework of the phprbac.net library made by OWASP for synfony 7","archived":false,"fork":false,"pushed_at":"2025-03-18T10:47:44.000Z","size":139,"stargazers_count":23,"open_issues_count":3,"forks_count":12,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-05-19T18:11:26.676Z","etag":null,"topics":["access-control","access-management","acl","authorization","permission","permissions","php","phprbac","rbac","security","symfony-bundle","symfony6"],"latest_commit_sha":null,"homepage":"","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Olivier127.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-03-18T08:58:32.000Z","updated_at":"2025-03-18T10:42:48.000Z","dependencies_parsed_at":"2023-02-09T19:01:20.907Z","dependency_job_id":"fc13d1ad-a541-4cac-9fb1-bd998148cd2f","html_url":"https://github.com/Olivier127/rbac-bundle","commit_stats":{"total_commits":62,"total_committers":8,"mean_commits":7.75,"dds":0.564516129032258,"last_synced_commit":"e131496dba70cd2c19ae0cf4793a7fe161504ff2"},"previous_names":[],"tags_count":14,"template":false,"template_full_name":null,"purl":"pkg:github/Olivier127/rbac-bundle","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Olivier127%2Frbac-bundle","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Olivier127%2Frbac-bundle/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Olivier127%2Frbac-bundle/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Olivier127%2Frbac-bundle/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Olivier127","download_url":"https://codeload.github.com/Olivier127/rbac-bundle/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Olivier127%2Frbac-bundle/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":267633103,"owners_count":24118752,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-29T02:00:12.549Z","response_time":2574,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["access-control","access-management","acl","authorization","permission","permissions","php","phprbac","rbac","security","symfony-bundle","symfony6"],"created_at":"2024-11-16T21:06:46.889Z","updated_at":"2025-10-03T15:45:32.631Z","avatar_url":"https://github.com/Olivier127.png","language":"PHP","funding_links":[],"categories":[],"sub_categories":[],"readme":"# PhpRbacBundle\n\nPhpRBACBundle is symfony 7 bundle with full access control library for PHP. It provides NIST Level 2 Standard Hierarchical Role Based Access Control as an easy to use library to PHP developers. It's a rework of the phprbac.net library made by OWASP for symfony 6.\n\n## Table of Content\n\n* [How it works ?](#how-it-works)\n* [Installation](#installation)\n* [Configuration](#configuration)\n    * [Prepare Symfony](#prepare-symfony)\n    * [Add PhpRbac configuration](#add-phprbac-configuration)\n    * [Roles and permissions creation](#roles-and-permissions-creation)\n    * [Make the rbac relations](#make-the-rbac-relations)\n    * [Assign Role to the user and check permission](#assign-role-to-the-user-and-check-permission)\n* [RBAC for controller](#rbac-for-controller)\n* [Voter based RBAC](#voter-based-rbac)\n* [Symfony CLI commands](#symfony-cli-commands)\n* [Twig functions](#twig)\n\n## How it works ?\n\nGo to https://phprbac.net/ :) to have the representation of permissions and roles as well as their interactions.\n\n\u003ccenter\u003e\n\u003cfigure style=\"background-color: white\"\u003e\n\u003cimg src=\"https://phprbac.net/img/rbac.png\"\n     alt=\"Roles and Permissions\"\n     height=\"75%\" width=\"75%\"\n     /\u003e\n\u003cfigcaption\u003eA hierarchical RBAC model of a system Blue: roles, Gray: users, Yellow: permissions\n\u003c/figcaption\u003e\n\u003c/figure\u003e\n\u003c/center\u003e\n\n## Installation\n\njust include the package with composer:\n\n\u003cpre\u003ecomposer require olivier127/rbac-bundle\u003c/pre\u003e\n\nregister the bundle inside config/bundles.php\n\n```php\n\nreturn [\n    ...\n    PhpRbacBundle\\PhpRbacBundle::class =\u003e ['all' =\u003e true],\n];\n```\n\n\nAdd the PhpRbacBundle\\Entity\\UserRoleTrait inside the User entity class to add the rbac role relation.\n\nUpdate the database schema with doctrine migration or doctrine schema update to create all the tables\n\n## Configuration\n\n### Prepare Symfony\n\nSpecify the different sections requiring prior authentication in the firewall security configuration section.\n\nAccess control only applies to authenticated sections of the website. Therefore, we will use basic ROLE_USER for all users. ROLE_ADMIN can be used for the main administrator but his rights will only be allocated by being associated with the role '/' of the roles tree.\n\nexample :\n```yaml\n# config/packages/security.yaml\nsecurity:\n    # ...\n\n    role_hierarchy:\n        ROLE_ADMIN: ROLE_USER\n\n    access_control:\n        - { path: ^/backend, roles: ROLE_USER }\n        - { path: ^/todolist, roles: ROLE_USER }\n```\n\n### Add PhpRbac configuration\n\nYou must create your own entities for driving permissions and roles.\n\nexample :\n\n```php\n/* src/Entity/Role.php */\nnamespace App\\Entity;\n\nuse Doctrine\\ORM\\Mapping as ORM;\nuse PhpRbacBundle\\Entity\\Role as EntityRole;\nuse PhpRbacBundle\\Repository\\RoleRepository;\n\n#[ORM\\Entity(repositoryClass: RoleRepository::class)]\n#[ORM\\Table('rbac_roles')]\nclass Role extends EntityRole\n{\n\n}\n```\n\n```php\n/* src/Entity/Permission.php */\nnamespace App\\Entity;\n\nuse Doctrine\\ORM\\Mapping as ORM;\nuse PhpRbacBundle\\Entity\\Permission as EntityPermission;\nuse PhpRbacBundle\\Repository\\PermissionRepository;\n\n#[ORM\\Entity(repositoryClass: PermissionRepository::class)]\n#[ORM\\Table('rbac_permissions')]\nclass Permission extends EntityPermission\n{\n\n}\n```\n\nadd php_rbac.yaml to associate theses entities to the rbac core\n```yaml\n# config/packages/php_rbac.yaml\nphp_rbac:\n  no_authentication_section:\n    default: deny\n  resolve_target_entities:\n    user: App\\Entity\\User\n    role: App\\Entity\\Role\n    permission: App\\Entity\\Permission\n```\n\n### Roles and permissions creation\nAdd all the roles and the permissions you need with the RoleManager and the PermissionManager\n\nexamples :\n\nto add a permission to the root\n```php\n/** @var PhpRbacBundle\\Core\\PermissionManager $manager */\n$manager = $this-\u003econtainer-\u003eget(PermissionManager::class);\n$permission = $manager-\u003eadd(\"notepad\", \"Notepad\", PermissionManager::ROOT_ID);\n```\n\nTo add a chain or permission\n```php\n/** @var PhpRbacBundle\\Core\\PermissionManager $manager */\n$manager = $this-\u003econtainer-\u003eget(PermissionManager::class);\n$manager-\u003eaddPath(\"/notepad/todolist/read\", ['notepad' =\u003e 'Notepad', 'todolist' =\u003e \"Todo list\", \"read\" =\u003e \"Read Access\"]);\n```\n\n## Make the rbac relations\n\nAdding roles use same methods\n\nfor the example, i use the chain role \"/editor/reviewer\". The reviewer is the subrole of the editor, the editor is the subrole of the root \"/\".\n```php\n/** @var PhpRbacBundle\\Core\\RoleManager $manager */\n$manager = $this-\u003econtainer-\u003eget(RoleManager::class);\n$manager-\u003eaddPath(\"/editor/reviewer\", ['editor' =\u003e 'Editor', 'reviewer' =\u003e \"Reviewer\"]);\n```\n\nAssign permissions to roles\n```php\n/** @var PhpRbacBundle\\Core\\RoleManager $manager */\n$manager = $this-\u003econtainer-\u003eget(RoleManager::class);\n$editorId = $manager-\u003egetPathId(\"/editor\");\n$editor = $manager-\u003egetNode($editorId);\n$reviewerId = $manager-\u003egetPathId(\"/editor/reviewer\");\n$reviewer = $manager-\u003egetNode($reviewerId);\n\n$manager-\u003eassignPermission($editor, \"/notepad\");\n$manager-\u003eassignPermission($reviewer, \"/notepad/todolist/read\");\n$manager-\u003eassignPermission($reviewer, \"/notepad/todolist/write\");\n```\n\n\nThe editor role will have /notepad permission and all sub permissions while the reviewer role will only have `/notepad/todolist/read` and `/notepad/todolist/write` permissions\n\n### Assign Role to the user and check permission\n\nIf the `UserRoleTrait` is in the class `User`, you will have `addRbacRole`.\nJust add the role in this entity\n\n```php\n/** @var PhpRbacBundle\\Core\\RoleManager $manager */\n$manager = $this-\u003econtainer-\u003eget(RoleManager::class);\n$editorId = $manager-\u003egetPathId(\"/editor\");\n$editor = $manager-\u003egetNode($editorId);\n\n$user = $userRepository-\u003efind($userId);\n$user-\u003eaddRbacRole($user);\n$userRepository-\u003eadd($user, true);\n```\n\nTo test a user's permission or role, use the PhpRbacBundle\\Core\\Rbac class.\n```php\n$rbacCtrl = $this-\u003econtainer-\u003eget(Rbac::class);\n$rbacCtrl-\u003ehasPermission('/notepad', $userId);\n$rbacCtrl-\u003ehasRole('/editor/reviewer', $userId);\n```\n\n## RBAC for controller\n\nJust add attribute is granted like this example. The attributes `IsGranted` and `HasRole` check the security with the current user.\n\n```php\nnamespace App\\Controller;\n\n...\nuse PhpRbacBundle\\Attribute\\AccessControl as RBAC;\n\n#[Route('/todolist')]\n#[RBAC\\IsGranted('/notepad/todolist/read')]\nclass TodolistController extends AbstractController\n{\n    #[RBAC\\IsGranted('/notepad/todolist/read')]\n    #[Route('/', name: 'app_todolist_index', methods: ['GET'])]\n    public function index(TodolistRepository $todolistRepository): Response\n    {\n        ...\n    }\n\n    #[RBAC\\IsGranted('/notepad/todolist/write')]\n    #[Route('/new', name: 'app_todolist_new', methods: ['GET', 'POST'])]\n    public function new(Request $request, TodolistRepository $todolistRepository): Response\n    {\n        ...\n    }\n\n    #[RBAC\\IsGranted('/notepad/todolist/read')]\n    #[Route('/{id}', name: 'app_todolist_show', methods: ['GET'])]\n    public function show(Todolist $todolist): Response\n    {\n        ...\n    }\n\n    #[RBAC\\IsGranted('/notepad/todolist/write')]\n    #[Route('/{id}/edit', name: 'app_todolist_edit', methods: ['GET', 'POST'])]\n    public function edit(Request $request, Todolist $todolist, TodolistRepository $todolistRepository): Response\n    {\n        ...\n    }\n\n    #[RBAC\\IsGranted('/notepad/todolist')]\n    #[Route('/{id}', name: 'app_todolist_delete', methods: ['POST'])]\n    public function delete(Request $request, Todolist $todolist, TodolistRepository $todolistRepository): Response\n    {\n        ...\n    }\n}\n```\n\nthe first RBAC\\IsGranted on the class check the lowest permission to access to the controller with the current user.\nThe `RBAC\\IsGranted` on each action check the minimum permission to make action work.\n\nIn the example :\n- The permission `/notepad/todolist/read` gives the access to the all controller and so index and show action.\n- The permission `/notepad/todolist/write` gives the access to edit the todolist\n- The permission `/notepad/todolist` parent to the read and write permission gives the access to delete\n\nThe permission `/notepad/todolist` has also the read and write permission.\n\n## Voter based Rbac\n\nWith RbacVoter, you can use symfony security to check the user rbac permissions (not the roles).\n\nexample:\n\n```php\n    #[IsGranted('/todolist/index', statusCode: 403, message: 'Access denied for user')]\n    #[Route('/', name: 'app_todo_list_index', methods: ['GET'])]\n    public function index(TodoListRepository $todoListRepository): Response\n```\n\nYou need to set the security access control to be unanimous (all the voter must be ok)\n\nadd this lines to `config/packages/security.yaml`\u003c/pre\u003e\n\n```yaml\nsecurity:\n    ...\n    access_decision_manager:\n        strategy: unanimous\n        allow_if_all_abstain: false\n```\n\n## Symfony CLI commands\n\n  The install command sets the root node role and permission and associates them.\n  ```shell\n    security:rbac:install\n  ```\n\n  Add permission into the rbac permissions tree\n  ```shell\n  security:rbac:permission:add\n  ```\n\n  Add permission into the rbac roles tree\n  ```shell\n  security:rbac:role:add\n  ```\n\n  Assign a permission to a role\n  ```shell\n  security:rbac:role:assign-permission\n  ```\n\n  Assign a role to a user\n  ```shell\n  security:rbac:user:assign-role\n  ```\n\n  Theses commandes are interactives.\n  \n  ## Twig\n  \n  test if user has a role\n  ```twig\n  {% if hasRole('/the/role') %}\n  ...\n  {% endif %}\n  ```\n  \n  test if user has a permission\n  ```twig\n  {% if hasPermission('/the/permission') %}\n  ...\n  {% endif %}\n  ```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Folivier127%2Frbac-bundle","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Folivier127%2Frbac-bundle","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Folivier127%2Frbac-bundle/lists"}