Examples

The following is a list of common use-case examples for Zend\Permission\Rbac.

Roles

Extending and adding roles via instantiation.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
 <?php
 use Zend\Permissions\Rbac\Rbac;
 use Zend\Permissions\Rbac\AbstractRole;

 class MyRole extends AbstractRole
 {
     // .. implementation
 }

 // Creating roles manually
 $foo  = new MyRole('foo');

 $rbac = new Rbac();
 $rbac->addRole($foo);

 var_dump($rbac->hasRole('foo')); // true

Adding roles directly to RBAC with the default Zend\Permission\Rbac\Role.

1
2
3
4
5
6
7
 <?php
 use Zend\Permissions\Rbac\Rbac;

 $rbac = new Rbac();
 $rbac->addRole('foo');

 var_dump($rbac->hasRole('foo')); // true

Handling roles with children.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
 <?php
 use Zend\Permissions\Rbac\Rbac;
 use Zend\Permissions\Rbac\Role;

 $rbac = new Rbac();
 $foo  = new Role('foo');
 $bar  = new Role('bar');

 // 1 - Add a role with child role directly with instantiated classes.
 $foo->addChild($bar);
 $rbac->addRole($foo);

 // 2 - Same as one, only via rbac container.
 $rbac->addRole('boo', 'baz'); // baz is a parent of boo
 $rbac->addRole('baz', array('out', 'of', 'roles')); // create several parents of baz

Permissions

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
 <?php
 use Zend\Permissions\Rbac\Rbac;
 use Zend\Permissions\Rbac\Role;

 $rbac = new Rbac();
 $foo  = new Role('foo');
 $foo->addPermission('bar');

 var_dump($foo->hasPermission('bar')); // true

 $rbac->addRole($foo);
 $rbac->isGranted('foo', 'bar'); // true
 $rbac->isGranted('foo', 'baz'); // false

 $rbac->getRole('foo')->addPermission('baz');
 $rbac->isGranted('foo', 'baz'); // true

Dynamic Assertions

Checking permission using isGranted() with a class implementing Zend\Permissions\Rbac\AssertionInterface.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
 <?php
 use Zend\Permissions\Rbac\AssertionInterface;
 use Zend\Permissions\Rbac\Rbac;

 class AssertUserIdMatches implements AssertionInterface
 {
     protected $userId;
     protected $article;

     public function __construct($userId)
     {
         $this->userId = $userId;
     }

     public function setArticle($article)
     {
         $this->article = $article;
     }

     public function assert(Rbac $rbac)
     {
         if (!$this->article) {
             return false;
         }
         return $this->userId == $article->getUserId();
     }
 }

 // User is assigned the foo role with id 5
 // News article belongs to userId 5
 // Jazz article belongs to userId 6

 $rbac = new Rbac();
 $user = $mySessionObject->getUser();
 $news = $articleService->getArticle(5);
 $jazz = $articleService->getArticle(6);

 $rbac->addRole($user->getRole());
 $rbac->getRole($user->getRole())->addPermission('edit.article');

 $assertion = new AssertUserIdMatches($user->getId());
 $assertion->setArticle($news);

 // true always - bad!
 if ($rbac->isGranted($user->getRole(), 'edit.article')) {
     // hacks another user's article
 }

 // true for user id 5, because he belongs to write group and user id matches
 if ($rbac->isGranted($user->getRole(), 'edit.article', $assertion)) {
     // edits his own article
 }

 $assertion->setArticle($jazz);

 // false for user id 5
 if ($rbac->isGranted($user->getRole(), 'edit.article', $assertion)) {
     // can not edit another user's article
 }

Performing the same as above with a Closure.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
<?php
// assume same variables from previous example

$assertion = function($rbac) use ($user, $news) {
    return $user->getId() == $news->getUserId();
};

// true
if ($rbac->isGranted($user->getRole(), 'edit.article', $assertion)) {
    // edits his own article
}