PHPackages                             btaens/cakephp-hier-auth - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication &amp; Authorization](/categories/authentication)
4. /
5. btaens/cakephp-hier-auth

ActiveCakephp-plugin[Authentication &amp; Authorization](/categories/authentication)

btaens/cakephp-hier-auth
========================

A CakePHP plugin for hierarchical, role based, simple authorization.

1.0.2(9y ago)62.2k4[1 issues](https://github.com/btaens/cakephp-hier-auth/issues)MITPHPPHP &gt;=5.4.16

Since May 11Pushed 9y ago4 watchersCompare

[ Source](https://github.com/btaens/cakephp-hier-auth)[ Packagist](https://packagist.org/packages/btaens/cakephp-hier-auth)[ Docs](https://github.com/btaens/cakephp-hier-auth)[ RSS](/packages/btaens-cakephp-hier-auth/feed)WikiDiscussions master Synced 1mo ago

READMEChangelog (3)Dependencies (3)Versions (4)Used By (0)

CakePHP HierAuth Plugin
=======================

[](#cakephp-hierauth-plugin)

[![Latest Stable Version](https://camo.githubusercontent.com/d1a563074256a626d2eaa3582aea983f9b3dd115703d81ebef841e9a29a11458/68747470733a2f2f706f7365722e707567782e6f72672f627461656e732f63616b657068702d686965722d617574682f762f737461626c65)](https://packagist.org/packages/btaens/cakephp-hier-auth)[![Build Status](https://camo.githubusercontent.com/c5568da9abdf59870913cdda80f9ef6c6f4b6c67b9682bee92fedcc117ec8223/68747470733a2f2f7472617669732d63692e6f72672f627461656e732f63616b657068702d686965722d617574682e7376673f6272616e63683d6d6173746572)](https://travis-ci.org/btaens/cakephp-hier-auth)[![Coverage Status](https://camo.githubusercontent.com/2be43a501963d88d63025b7a1db5ff2627e0550b2bf5eb310ebd44e25bbe5e7f/68747470733a2f2f636f766572616c6c732e696f2f7265706f732f627461656e732f63616b657068702d686965722d617574682f62616467652e7376673f6272616e63683d6d6173746572)](https://coveralls.io/r/btaens/cakephp-hier-auth?branch=master)[![Scrutinizer Code Quality](https://camo.githubusercontent.com/0b8c61c3c8e59708fcf97ddd84c5a8e9b49c7baec095453c706ec6763503a116/68747470733a2f2f7363727574696e697a65722d63692e636f6d2f672f627461656e732f63616b657068702d686965722d617574682f6261646765732f7175616c6974792d73636f72652e706e673f623d6d6173746572)](https://scrutinizer-ci.com/g/btaens/cakephp-hier-auth/?branch=master)[![Total Downloads](https://camo.githubusercontent.com/e2c7c7a0f6dd0a331421dd63cb6fa2db4c640a4af05a203a076e27381f0d36e7/68747470733a2f2f706f7365722e707567782e6f72672f627461656e732f63616b657068702d686965722d617574682f646f776e6c6f616473)](https://packagist.org/packages/btaens/cakephp-hier-auth)[![License](https://camo.githubusercontent.com/8797b9309cd7b61092733f1bdba7a99cfeb04eff34d86ad5a7430bdf8b0ed44e/68747470733a2f2f706f7365722e707567782e6f72672f627461656e732f63616b657068702d686965722d617574682f6c6963656e7365)](https://github.com/btaens/cakephp-hier-auth/blob/master/LICENSE)

HierAuth is a simple, hierarchical ACL authorization plugin for CakePHP 3. You can grant and deny access based on roles, and create virtual ones to include sub-roles.

Installing
----------

[](#installing)

Using composer, install the plugin:

```
composer require btaens/cakephp-hier-auth

```

Insert the following line into your `config/bootstrap.php` file:

```
Plugin::load('HierAuth');

```

Setup
-----

[](#setup)

Load and configure HierAuth through AuthComponent:

```
$this->loadComponent('Auth', [
    'authorize' => [
        'HierAuth.Hier' => [
            'hierarchyFile' => 'hierarchy.yml',
            'aclFile' => 'acl.yml',
            'roleColumn' => false,
            'roleKeys' => [
                'roles' => [
                    'multi' => true,
                    'column' => 'label',
                ],
            ],
        ],
    ],
]);
```

### Hierarchy and ACL

[](#hierarchy-and-acl)

`hierarchyFile` is a [YAML](http://yaml.org) file in which you will define the hierarchy of your roles. Put this in your `config` directory. The basic structure of it is the following:

```
hierarchy:
   ROOT:
       - DEVELOPER
       - OWNER
   MODERATOR:
       - FINANCE
       - LABOR
   ADMIN:
       - "@MODERATOR"
       - SALES
       - CONTACT
   USER:
       - MEMBER
```

Here you have defined a ROOT role. ROOT doesn't necessarily have to be an actual role your users have, however any users with the role DEVELOPER or OWNER will be granted access to any route that ROOT has access to.

ADMIN also includes @MODERATOR. This means that all roles in MODERATOR will have all access (or deny) rights of ADMIN. You can do this recursively (up to 10 depth) as well, so one role could include another, which in turn could also include another.

Not all roles need to be written into your hierarchy file if you don't need to setup a hierarchy for them, you can also grant and deny access to roles not listed here.

You can also include existing roles, and give them the access rights of other existing roles:

```
hierarchy:
    SALES:
        - CONTACT
```

In this case, all your users with the CONTACT role would get all the access rights of your SALES role.

`aclFile` is a [YAML](http://yaml.org) file in which you will grant or deny access to your routes. Put this in your `config` directory. The basic structure is the following:

```
controllers:
    ALL: [ROOT, ADMIN]
    Posts:
        ALL: [MODERATOR, -ADMIN, CONTACT]
        index: [USER, NEWBIE]
```

The controllers you wish to define access rights to sit under a `controllers` key. The `ALL` key (all caps) defines access to all sub-members (the one under `controllers` to all controllers, the ones under the individual controllers to all its actions (even the ones not listed).

According to this example, ROOT and ADMIN are by default granted access to all controllers and actions (even the ones not listed).

All actions of Posts get access by MODERATOR, however all actions in Posts are denied to ADMIN (- signifies access denial), except CONTACT, who is granted access as well. From this, you can see order matters (`[CONTACT, -ADMIN]` would've meant CONTACT is denied, as that role is later set to denied as it's part of ADMIN, however `[-ADMIN, CONTACT]` grants access to CONTACT, as first we denied it to all in ADMIN, but then granted it to CONTACT).

### Table setup

[](#table-setup)

HierAuth can get your user's roles from multiple tables, all of which can be associated through hasMany or hasAndBelongsToMany, or even a column of the User table itself, as a JSON field.

If you're using one of your user table's column for your users' role setup, you'll have to save the roles JSON encoded, or return them through dataType manipulation in the form of an array (so a user with DEVELOPER and MEMBER roles would have, say, a roles column with a value of: `["DEVELOPER","MEMBER"]`. Then you'd set `roleColumn` in the above config to be the name of the column: `'roleColumn' => 'roles'`.

A more recommended way however is to store your roles in a seperate table, and associate it with your users' table. Pass in the associations you'd like to use in the `roleKeys` config key, in the following manner:

```
'roleKeys' => [
    'roles' => [
        'multi' => true,
        'column' => 'label',
    ],
    'right' => [
        'multi' => false,
        'column' => 'label',
    ],
],
```

For each association, you have to provide whether the user has multiple or single ones through the `multi` key, which is either true or false. The `column` key is the column in the table from which HierAuth reads the role's label (the one you write an your acl and hirarchy configuration). This can be 'id', however, a more verbose unique column is recommended for readability (and maintainability, if you later want to move your database and the role table happens to start with a different id, you have to rewrite your entire ACL roles configuration).

Whichever associations you choose to define, you also have to make sure they get saved in the session when the user logs in through whichever authentication method you use. You will need to write a custom finder method to ensure the correct data is contained.

```
$this->loadComponent('Auth', [
    'authenticate' => [
        'Form' => [
            'finder'=>'AuthUser'
        ],
    ],
]);
```

```
// In your UsersTable
public function findAuthUser(Query $query, $options)
{
    $query->contain([
        'Roles',
        'Rights'
    ]);
    return $query;
}
```

### Requirements

[](#requirements)

- PHP &gt;= 5.4.16
- CakePHP &gt;= 3.0
- Symfony/YAML &gt;= 2.6

### Future plans

[](#future-plans)

- Create a component to check whether a user's role passes a certain super-role
- Create a helper as above

Inspired by dereuromark's [TinyAuth](https://github.com/dereuromark/cakephp-tinyauth).

###  Health Score

31

—

LowBetter than 68% of packages

Maintenance17

Infrequent updates — may be unmaintained

Popularity23

Limited adoption so far

Community13

Small or concentrated contributor base

Maturity60

Established project with proven stability

 Bus Factor1

Top contributor holds 94.1% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~203 days

Total

3

Last Release

3618d ago

### Community

Maintainers

![](https://www.gravatar.com/avatar/fbdda87c8d16e491af1c4c6e6b17cca4ce11ac6df94f2ea8c498ebd298d50ed7?d=identicon)[btaens](/maintainers/btaens)

---

Top Contributors

[![btaens](https://avatars.githubusercontent.com/u/9314728?v=4)](https://github.com/btaens "btaens (16 commits)")[![styks1111](https://avatars.githubusercontent.com/u/642930?v=4)](https://github.com/styks1111 "styks1111 (1 commits)")

---

Tags

plugincakephpaclroleshierarchyhierauth

### Embed Badge

![Health badge](/badges/btaens-cakephp-hier-auth/health.svg)

```
[![Health](https://phpackages.com/badges/btaens-cakephp-hier-auth/health.svg)](https://phpackages.com/packages/btaens-cakephp-hier-auth)
```

###  Alternatives

[dereuromark/cakephp-tinyauth

A CakePHP plugin to handle user authentication and authorization the easy way.

129228.6k10](/packages/dereuromark-cakephp-tinyauth)[markstory/acl_extras

Additional tools for managing DB ACL in CakePHP applications.

155311.0k](/packages/markstory-acl-extras)[ivanamat/cakephp3-aclmanager

AclManager plugin for CakePHP 3.x

2715.2k](/packages/ivanamat-cakephp3-aclmanager)[xety/cake3-cookieauth

A simple Cake3 plugin to authenticate users with Cookies.

1954.7k2](/packages/xety-cake3-cookieauth)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)