PHPackages                             nepada/security-annotations - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. nepada/security-annotations

ActiveLibrary[Security](/categories/security)

nepada/security-annotations
===========================

Security annotations for Nette presenters and components.

v5.1.3(7mo ago)1115.3k↓16.7%11BSD-3-ClausePHPPHP &gt;=8.1.0 &lt;8.6CI passing

Since Jul 9Pushed 1mo ago1 watchersCompare

[ Source](https://github.com/nepada/security-annotations)[ Packagist](https://packagist.org/packages/nepada/security-annotations)[ RSS](/packages/nepada-security-annotations/feed)WikiDiscussions master Synced 2d ago

READMEChangelog (10)Dependencies (19)Versions (26)Used By (1)

Security Annotations
====================

[](#security-annotations)

[![Build Status](https://github.com/nepada/security-annotations/workflows/CI/badge.svg)](https://github.com/nepada/security-annotations/actions?query=workflow%3ACI+branch%3Amaster)[![Coverage Status](https://camo.githubusercontent.com/a07c636030b2d81fbc9def6b2cd058070577fdfb5bf2abea5de4bdf36a84498d/68747470733a2f2f636f766572616c6c732e696f2f7265706f732f6769746875622f6e65706164612f73656375726974792d616e6e6f746174696f6e732f62616467652e7376673f6272616e63683d6d6173746572)](https://coveralls.io/github/nepada/security-annotations?branch=master)[![Downloads this Month](https://camo.githubusercontent.com/9a31c25518abcfe41462653fe81976b3f3e1e075bf195879bc5c2cba1623ae58/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f646d2f6e65706164612f73656375726974792d616e6e6f746174696f6e732e737667)](https://packagist.org/packages/nepada/security-annotations)[![Latest stable](https://camo.githubusercontent.com/854cf32dd35a89331a93aa265a0441dfc3a49756af0eea22c200d6b6504c42a9/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f6e65706164612f73656375726974792d616e6e6f746174696f6e732e737667)](https://packagist.org/packages/nepada/security-annotations)

Installation
------------

[](#installation)

Via Composer:

```
$ composer require nepada/security-annotations
```

Register the extension in `config.neon`:

```
extensions:
    securityAnnotations: Nepada\Bridges\SecurityAnnotationsDI\SecurityAnnotationsExtension
```

Usage
-----

[](#usage)

This package builds on top of the standard access authorization of Nette components, namely `Nette\Application\UI\Component::checkRequirements()` method. This method is called before invoking any of component/presenter signal handlers, and before presenter `startup`, `action` and `render` methods.

With this package you can specify the access rules via attributes on any of the mentioned methods, or on presenter class. To enable this feature simple use `SecurityAnnotations` trait in any presenter or component and make sure `RequirementsChecker` service gets injected via `injectRequirementsChecker()` - with default Nette configuration this should work on presenters out of the box, but you need to take care of components, e.g. by enabling inject calls.

**Example:**

```
use Nepada\SecurityAnnotations\Annotations\Allowed;
use Nepada\SecurityAnnotations\Annotations\LoggedIn;
use Nepada\SecurityAnnotations\Annotations\Role;

/**
 * To access this presenter the user must be logged in.
 */
 #[LoggedIn]
class SecuredPresenter extends Nette\Application\UI\Presenter
{

    use Nepada\SecurityAnnotations\SecurityAnnotations;

    #[Role("admin", "superadmin")]
    public function actionForAdmins(): void
    {
        // Only users with role admin or superadmin are allowed here.
    }

     #[Allowed(resource: "world", privilege: "destroy")]
    public function handleDestroyWorld(): void
    {
        // Only users with specific permission are allowed to call this signal.
    }

}
```

The attributes and rules they enforce are completely customizable (see below), however the default setup comes with three predefined rules:

- **LoggedIn** - checks whether the user is logged in.
- **Role("admin", "superadmin")** - checks whether the user has at least one of the specified roles. If you use `Nette\Security\Permission` as your authorizator, then role inheritance is taken into account, i.e. users that have at least one role that inherits from at least one of the specified roles are allowed as well.
- **Allowed(resource: "world", privilege: "destroy")** - checks whether the user has at least one role that is granted the specified privilege on the specified resource.

### Securing components

[](#securing-components)

Properly securing components is a tricky business, take a look at the following example:

```
use Nepada\SecurityAnnotations\Annotations\LoggedIn;

class SecuredPresenter extends Nette\Application\UI\Presenter
{

    use Nepada\SecurityAnnotations\SecurityAnnotations;

    #[LoggedIn]
    public function actionDefault(): void
    {
        // ...
    }

    protected function createComponentForm(): Nette\Application\UI\Form
    {
        $form = new Nette\Application\UI\Form();
        $form->addSubmit('Do something dangerous');
        $form->onSuccess[] = function (Nette\Application\UI\Form $form): void {
            // ...
        };
        return $form;
    }

}
```

Securing presenter `action` (or `render`) methods is not sufficient! All it takes is a one general route in your router, e.g. a very common `Route('/')`, and anyone may successfully submit the form by sending POST request to `/secured/foo` URL.

You should always check user's permissions when creating the component. To make your life easier there is `SecuredComponents` trait that calls the standard `Nette\Application\UI\Component::checkRequirements()` method before calling the component factory (nette/application 3.2.2 and later performs this check natively, making the trait obsolete). Combining it with `SecurityAnnotations` it allows you to control access to components via attributes on `createComponent` methods.

### Customizing access validators

[](#customizing-access-validators)

- You can disable the default set of validators by `enableDefaultValidators: false`.
- You can also define your own validators, i.e. services implementing `Nepada\SecurityAnnotations\AccessValidators\AccessValidator` interface in `validators` configuration section.

```
securityAnnotations:
    enableDefaultValidators: false # disable default set of validators
    validators:
        - MyRoleAccessValidator # define validator by class name
        - @fooAccessValidator # define validator by service reference

services:
    fooAccessValidator: FooAccessValidator(%fooParameter%)
```

#### How do access validators work?

[](#how-do-access-validators-work)

Every access validator implements `Nepada\SecurityAnnotations\AccessValidators\AccessValidator` interface. The access validator specifies which attribute type it supports via its public API.

When checking the requirements PHP attributes are passed one by one to associated access validator for inspection. Based on the attribute value the validator decides either to deny access (throws `Nette\Application\BadRequestException`), or grant access (no exception is thrown).

###  Health Score

59

—

FairBetter than 98% of packages

Maintenance80

Actively maintained with recent releases

Popularity33

Limited adoption so far

Community12

Small or concentrated contributor base

Maturity91

Battle-tested with a long release history

 Bus Factor1

Top contributor holds 51.8% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~169 days

Recently: every ~255 days

Total

19

Last Release

223d ago

Major Versions

v1.0.1 → v2.0.02018-03-03

v2.2.0 → v3.0.02019-04-09

v3.1.0 → v4.0.02020-03-28

v4.3.0 → v5.0.02022-08-13

PHP version history (8 changes)v1.0.0PHP &gt;=7.1.0

v3.0.0PHP &gt;=7.2.0

v3.1.0PHP &gt;=7.4.0

v4.3.0PHP &gt;=8.0.0 &lt;8.2

v5.0.1PHP &gt;=8.0.0 &lt;8.3

v5.1.0PHP &gt;=8.1.0 &lt;8.4

v5.1.2PHP &gt;=8.1.0 &lt;8.5

v5.1.3PHP &gt;=8.1.0 &lt;8.6

### Community

Maintainers

![](https://www.gravatar.com/avatar/5b4780fe328102c4572737db639653c29d3081d1d3e051467f00d7f09a776399?d=identicon)[xificurk](/maintainers/xificurk)

---

Top Contributors

[![xificurk](https://avatars.githubusercontent.com/u/117465?v=4)](https://github.com/xificurk "xificurk (189 commits)")[![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4)](https://github.com/dependabot[bot] "dependabot[bot] (176 commits)")

---

Tags

nettesecurityannotations

###  Code Quality

Static AnalysisPHPStan

Type Coverage Yes

### Embed Badge

![Health badge](/badges/nepada-security-annotations/health.svg)

```
[![Health](https://phpackages.com/badges/nepada-security-annotations/health.svg)](https://phpackages.com/packages/nepada-security-annotations)
```

###  Alternatives

[nette/forms

📝 Nette Forms: generating, validating and processing secure forms in PHP. Handy API, fully customizable, server &amp; client side validation and mature design.

54413.6M513](/packages/nette-forms)[nette/http

🌐 Nette Http: abstraction for HTTP request, response and session. Provides careful data sanitization and utility for URL and cookies manipulation.

49119.8M601](/packages/nette-http)[nette/web-project

Nette: Standard Web Project

10993.3k](/packages/nette-web-project)[nextras/secured-links

Package secures Nette Framework signals against CSRF attack.

57688.3k11](/packages/nextras-secured-links)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
