A flexible authorization component.
Add Authorizable to your composer.json file:
"require": {
"joshuajabbour/authorizable": "dev-master"
}And install: composer update
In order to use Authorizable with Laravel, it must be added to the 'providers' array in app/config/app.php:
'providers' => array(
'JoshuaJabbour\Authorizable\Laravel\AuthorizableServiceProvider',
),Optionally, add the facade alias to the 'aliases' array in app/config/app.php:
'aliases' => array(
'Authorizable' => 'JoshuaJabbour\Authorizable\Laravel\Facades\Authorizable',
),Publish the default configuration file to app/config/packages/joshuajabbour/authorizable:
php artisan config:publish joshuajabbour/authorizableThe configuration file includes an initialize function, which can be used to set up rules.
// app/config/packages/joshuajabbour/authorizable
return array(
'initialize' => function ($authorizable) {
$user_model = Config::get('auth.model', 'User');
$authenticated_user = $authorizable->getUser();
// Any user can view user accounts.
$authorizable->allow('show', $user_model);
// Only anonymous users can create accounts.
if (! $authenticated_user) {
$authorizable->allow('create', $user_model);
}
// Authenticated users can update or delete their own accounts.
$authorizable->allow(['update', 'destroy'], $user_model, function ($user) {
// Within conditions, `$this` is the active Authorizable\Manager instance.
return $this->getUser()->id == $user->id;
});
},
);There are a few basic methods to be aware of in order to utilize Authorizable.
Create a rule that will allow access to a specified resource.
// Any user can view any article.
Authorizable::allow('read', 'Article');
// Authenticated users can update their own articles.
Authorizable::allow('update', 'Article', function($article) {
return $this->getUser()->id == $article->user_id;
});Create a rule that will deny access to a specified resource.
// No user can create articles.
Authorizable::deny('create', 'Article');
// Authenticated users cannot delete articles unless they are admin users.
Authorizable::deny('delete', 'Article', function ($article) {
return ! $this->getUser()->is_admin;
});
// This rule could also have been written as an allow rule,
// however access checks without an object instance do not
// evaluate the conditional function, and always return true.
Authorizable::allow('delete', 'Article', function ($article) {
return $this->getUser()->is_admin;
});
// Finally, in some cases the access check can be done before
// declaring a rule, which can make for less code to evaluate.
// However, this eliminates the ability to check for access
// with users that are not the primary, authenticated user.
if ($authenticated_user->is_admin) {
Authorizable::allow('delete', 'Article');
}Check if a user can perform an action on a resource.
Authorizable::can('update', $article);Check if a user cannot perform an action on a resource.
Authorizable::cannot('create', 'Article');Check if a user can perform any of the actions on a resource.
Authorizable::canAny(['update', 'delete'], $article);Check if a user can perform all of the actions on a resource.
Authorizable::canAll(['update', 'delete'], $article);Authorizable is heavily inspired by Authority, AuthorityController, Authorize, CanCan, and other related packages. It works in a similar fashion to Authority, but is missing a few key features:
- no alias support for actions
- altered condition method signature
- multiple methods have been renamed
If these features aren't being used, Authorizable should be a drop-in replacement for Authority. Aliasing the facade to Authority should allow usage without changing any authorization checks within the application.