2017 © Pedro Peláez
 

library authorization-required

A simple and efficient authorization manager for the Laravel framework

image

orottier/authorization-required

A simple and efficient authorization manager for the Laravel framework

  • Thursday, December 1, 2016
  • by otto
  • Repository
  • 1 Watchers
  • 0 Stars
  • 548 Installations
  • PHP
  • 0 Dependents
  • 0 Suggesters
  • 0 Forks
  • 0 Open issues
  • 6 Versions
  • 8 % Grown

The README.md

AuthorizationRequired

A simple and efficient authorization package for the Laravel framework, (*1)

What this package can and cannot do

This packages uses the available Eloquent hooks to impose rules for reading and writing your Models. No more, no less., (*2)

Will protect:, (*3)

  • Read access & creation of new models
  • Updates and deletes of models, invoked on the model itself

Will not protect:, (*4)

  • Raw queries: DB::table('users')->delete()
  • Mass updates and deletes: User::where('role', 'admin')->delete()

Please note the fundamental difference between, (*5)

✅ User::find(12)->delete(); // Invokes delete on the User Model
❌ User::where('id', 12)->delete() // Invokes delete on the Eloquent Builder
❌ DB::table('users')->where('id', 12)->delete() // Invokes delete on the Query Builder
❌ DB::delete("DELETE FROM `users` WHERE `id` = 12") // Executes a raw query

This package will only protect guard deletes/updates of the first type. The latter three will pass no matter what rules you impose., (*6)

Installation via Composer

Note: this package can only be used in combination with the Laravel framework., (*7)

Use composer to use AuthorizationRequired in your project, (*8)

composer require orottier/authorization-required
# (use version `1.*` for Laravel `5.2` and lower)
# (use version `2.*` for Laravel `5.3` and above)

How it works

The Laravel models you want to protect should include the AuthorizationRequired trait and should have an authorization policy defined for create, update and delete actions., (*9)

The following method is placed on your model:, (*10)

public static function authorizationReadScope(\Illuminate\Database\Eloquent\Builder $query);

Use this query scope to limit the read access of your model. Together with the authorization policy, the rules of reading, updating, creating and deleting the model are defined., (*11)

Read behaviour

Calling Model::find will simply yield null if the the rules prevent the object to be seen (as if it did not exist). Your application has probably been configured to return a 404 status code in these cases., (*12)

Write behaviour (update, create, delete)

If your policy rules forbid writing the model, an AuthorizationRequired\PermissionException is thrown. Specifically: UpdatePermissionException, CreatePermissionException and DeletePermissionException. Your application can convert this into a nice 403 page using the render function in App\Exception., (*13)

Note that by Laravel's defaults, a missing rule will not allow any operations. Also, there must be a logged in user for any of the policies to be accepted., (*14)

Example usage

To illustrate the usage of this package, we will put authorization rules on a simple application that allows users to post and modify blog items (referred to as Post)., (*15)

To put authorization rules on an Eloquent model, include the AuthorizationRequired trait:, (*16)

<?php

// ...

use AuthorizationRequired\AuthorizationRequired;

class Post extends Model
{
    use AuthorizationRequired;

    // ...

}

By default, all read and write access is denied for posts now. Your application will look very empty. We should allow users to view posts that are visible and published. Of course a user should be able to see, edit and delete all of his own posts, even the hidden ones., (*17)

Allow reading

Read access rules are written as a query scope. By defining the function authorizationReadScope we will override the default 'deny all' behaviour:, (*18)

<?php

// ...

use AuthorizationRequired\AuthorizationRequired;
use Illuminate\Database\Eloquent\Builder;

class Post extends Model
{
    use AuthorizationRequired;

    public static function authorizationReadScope(Builder $query)
    {
        if (Auth::check() && Auth::user()->isSuperAdmin()) {
            return $query;
        }
        $userId = Auth::check() ? Auth::user()->id : null;
        return $query->where('published_at', '<=', date('Y-m-d H:i:s'))
            ->where('hidden', false)
            ->orWhere('user_id', $userId);
    }

    // ...

}

If you wish to impose no restrictions on read access, simply pass the query unaltered:, (*19)

public static function authorizationReadScope(Builder $query)
{
    return $query;
}

Allow editing

Update/Create/Delete rules should be defined as an authorization policy., (*20)

<?php

namespace App\Policies;

use App\User;
use App\Post;

class PostPolicy
{
    public function update(User $user, Post $post)
    {
        return Auth::check()
            && ($post->user_id === $user->id || $user->isSuperAdmin());
    }

All users can create a post:, (*21)

public function create(User $user)
{
    return true;
}

We will set the rules for deleting a post equal to the rules for editing the post:, (*22)

public function delete(User $user, Post $post)
{
    return $this->update($user, $post)
}

That's it!, (*23)

The Versions

01/12 2016

dev-master

9999999-dev

A simple and efficient authorization manager for the Laravel framework

  Sources   Download

MIT

The Requires

  • php >=5.3.0

 

The Development Requires

by Avatar otto

01/12 2016

2.0.3

2.0.3.0

A simple and efficient authorization manager for the Laravel framework

  Sources   Download

MIT

The Requires

  • php >=5.3.0

 

The Development Requires

by Avatar otto

30/11 2016

2.0.2

2.0.2.0

A simple and efficient authorization manager for the Laravel framework

  Sources   Download

MIT

The Requires

  • php >=5.3.0

 

The Development Requires

by Avatar otto

15/10 2016

2.0.1

2.0.1.0

A simple and efficient authorization manager for the Laravel framework

  Sources   Download

MIT

The Requires

  • php >=5.3.0

 

The Development Requires

by Avatar otto

12/10 2016

2.0.0

2.0.0.0

A simple and efficient authorization manager for the Laravel framework

  Sources   Download

MIT

The Requires

  • php >=5.3.0

 

The Development Requires

by Avatar otto

30/06 2016

1.0.0

1.0.0.0

A simple and efficient authorization manager for the Laravel framework

  Sources   Download

MIT

The Requires

  • php >=5.3.0

 

The Development Requires

by Avatar otto