PHPackages                             klsoft/yii3-authz - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication &amp; Authorization](/categories/authentication)
4. /
5. klsoft/yii3-authz

ActiveLibrary[Authentication &amp; Authorization](/categories/authentication)

klsoft/yii3-authz
=================

The package provides Yii 3 authorization middleware that uses Yii RBAC

1.1.0(4mo ago)0301MITPHPPHP &gt;=8.1

Since Feb 8Pushed 4mo agoCompare

[ Source](https://github.com/klsoft-web/yii3-authz)[ Packagist](https://packagist.org/packages/klsoft/yii3-authz)[ Docs](https://github.com/klsoft-web/yii3-authz)[ RSS](/packages/klsoft-yii3-authz/feed)WikiDiscussions main Synced today

READMEChangelog (2)Dependencies (9)Versions (3)Used By (1)

YII3-AUTHZ
==========

[](#yii3-authz)

The package provides [Yii 3](https://yii3.yiiframework.com) authorization middleware that uses Yii RBAC. It is intended for use with web applications. For authorization of a RESTful web service, use the [YII3-KEYCLOAK-AUTHZ](https://github.com/klsoft-web/yii3-keycloak-authz) package instead.

Requirement
-----------

[](#requirement)

- PHP 8.1 or higher.

Installation
------------

[](#installation)

```
composer require klsoft/yii3-authz
```

How to use
----------

[](#how-to-use)

### 1. Configure Authentication

[](#1-configure-authentication)

Example:

```
use Yiisoft\Session\Session;
use Yiisoft\Session\SessionInterface;
use Yiisoft\Auth\IdentityRepositoryInterface;
use Yiisoft\Definitions\Reference;
use Yiisoft\Auth\AuthenticationMethodInterface;
use Yiisoft\User\Method\WebAuth;

return [
    // ...
    SessionInterface::class => [
        'class' => Session::class,
        '__construct()' => [
            $params['session']['options'] ?? [],
            $params['session']['handler'] ?? null,
        ],
    ],
    IdentityRepositoryInterface::class => IdentityRepository::class,
    CurrentUser::class => [
        'withSession()' => [Reference::to(SessionInterface::class)]
    ],
    AuthenticationMethodInterface::class => WebAuth::class,
];
```

### 2. [Configure](https://yiisoft.github.io/docs/guide/security/authorization.html#configuring-rbac) RBAC

[](#2-configure-rbac)

### 3. Add the forbidden URL to param.php

[](#3-add-the-forbidden-url-to-paramphp)

Example:

```
return [
    'forbiddenUrl' => '/forbidden',
];
```

### 4. Configure Authorization

[](#4-configure-authorization)

Example:

```
use Klsoft\Yii3Authz\Middleware\Authorization;

return [
    // ...
    Authorization::class => [
        'class' => Authorization::class,
        '__construct()' => [
            'forbiddenUrl' => $params['forbiddenUrl']
        ],
    ],
];
```

### 5. Apply permissions.

[](#5-apply-permissions)

#### 5.1. To an action.

[](#51-to-an-action)

First, add Authorization to a route:

```
use Yiisoft\Auth\Middleware\Authentication;
use Klsoft\Yii3Authz\Middleware\Authorization;

Route::post('/post/create')
        ->middleware(Authentication::class)
        ->middleware(Authorization::class)
        ->action([PostController::class, 'create'])
        ->name('post/create')
```

Or to a group of routes:

```
use Yiisoft\Auth\Middleware\Authentication;
use Klsoft\Yii3Authz\Middleware\Authorization;

Group::create()
        ->middleware(Authentication::class)
        ->middleware(Authorization::class)
        ->routes(
            Route::post('/post/create')
                ->action([PostController::class, 'create'])
                ->name('post/create'),
            Route::put('/post/update/{id}')
                ->action([PostController::class, 'update'])
                ->name('post/update')
        )
```

Then, apply permissions to an action:

```
use Psr\Http\Message\ServerRequestInterface;
use Psr\Http\Message\ResponseInterface;
use Klsoft\Yii3Authz\Permission;

final class PostController
{
    public function __construct(private PostPresenterInterface $postPresenter)
    {
    }

    #[Permission('createPost')]
    public function create(ServerRequestInterface $request): ResponseInterface
    {
        return $this->postPresenter->createPost($request);
    }
}
```

Example of an **OR** permission:

```
#[Permission('createPost|updatePost')]
public function edit(#[RouteArgument('id')] ?int $id = null, ServerRequestInterface $request): ResponseInterface
```

Example of a permission with an executing parameter value that would be passed to the rules associated with the roles:

```
#[Permission(
    'updatePost',
    ['post' => [
        '__container_entry_identifier',
        PostPresenterInterface::class,
        'getPost',
        ['__request']]
    ]
)]
public function update(#[RouteArgument('id')] int $id, ServerRequestInterface $request): ResponseInterface
```

#### 5.2. To a route.

[](#52-to-a-route)

First, define the set of permissions:

```
use Psr\Container\ContainerInterface;
use Klsoft\Yii3Authz\Middleware\Authorization;
use Klsoft\Yii3Authz\Permission;

'CreatePostPermission' => static function (ContainerInterface $container) {
        return $container
            ->get(Authorization::class)
            ->withPermissions([
                new Permission('createPost'])
            ]);
    }
```

Then, you can apply this set to a route:

```
use Yiisoft\Auth\Middleware\Authentication;

Route::post('/post/create')
        ->middleware(Authentication::class)
        ->middleware('CreatePostPermission')
        ->action([PostController::class, 'create'])
        ->name('post/create')
```

###  Health Score

36

—

LowBetter than 79% of packages

Maintenance77

Regular maintenance activity

Popularity8

Limited adoption so far

Community8

Small or concentrated contributor base

Maturity44

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~20 days

Total

2

Last Release

125d ago

### Community

Maintainers

![](https://www.gravatar.com/avatar/f4e8ac50e4ad22be84b07f4c06d28cf280d22f689c460cd385c556727e638827?d=identicon)[klsoft-web](/maintainers/klsoft-web)

---

Top Contributors

[![klsoft-web](https://avatars.githubusercontent.com/u/7967163?v=4)](https://github.com/klsoft-web "klsoft-web (2 commits)")

---

Tags

authorizationyii3middlewareauthorizationrbacauthorisationyii3

### Embed Badge

![Health badge](/badges/klsoft-yii3-authz/health.svg)

```
[![Health](https://phpackages.com/badges/klsoft-yii3-authz/health.svg)](https://phpackages.com/packages/klsoft-yii3-authz)
```

###  Alternatives

[cakephp/cakephp

The CakePHP framework

8.9k19.5M1.8k](/packages/cakephp-cakephp)[typo3/cms

TYPO3 CMS is a free open source Content Management Framework initially created by Kasper Skaarhoj and licensed under GNU/GPL.

1.2k1.9M122](/packages/typo3-cms)[tempest/framework

The PHP framework that gets out of your way.

2.2k34.4k15](/packages/tempest-framework)[typo3/cms-core

TYPO3 CMS Core

3713.2M5.1k](/packages/typo3-cms-core)[mcp/sdk

Model Context Protocol SDK for Client and Server applications in PHP

1.5k1.5M88](/packages/mcp-sdk)[thecodingmachine/graphqlite

Write your GraphQL queries in simple to write controllers (using webonyx/graphql-php).

5733.3M47](/packages/thecodingmachine-graphqlite)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
