PHPackages ordermind/logical-permissions - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. ordermind/logical-permissions ActiveLibrary[Authentication & Authorization](/categories/authentication) ordermind/logical-permissions ============================= Provides support for array-based permissions with logic gates such as AND and OR. 2.1.2(5y ago)41.5k↓100%11MITPHPPHP >=5.6 Since May 26Pushed 5y ago1 watchersCompare [ Source](https://github.com/ordermind/logical-permissions-php)[ Packagist](https://packagist.org/packages/ordermind/logical-permissions)[ RSS](/packages/ordermind-logical-permissions/feed)WikiDiscussions 2.x Synced 1mo ago READMEChangelogDependenciesVersions (6)Used By (1) [![](https://camo.githubusercontent.com/35d78997c940dff99abfb4a85f8606a3e6f3e3ff1be2e087eeb362424e1af0c0/68747470733a2f2f7472617669732d63692e6f72672f6f726465726d696e642f6c6f676963616c2d7065726d697373696f6e732d7068702e7376673f6272616e63683d322e78)](https://travis-ci.org/ordermind/logical-permissions-php) logical-permissions =================== [](#logical-permissions) This is a generic library that provides support for array-based permissions with logic gates such as AND and OR. You can register any kind of permission types such as roles and flags. The idea with this library is to be an ultra-flexible foundation that can be used by any framework. Supported PHP version is 5.6 or higher. Getting started --------------- [](#getting-started) ### Installation [](#installation) `composer require ordermind/logical-permissions` ### Usage [](#usage) #### Register permission types [](#register-permission-types) Permission types are used to check different kinds of conditions for access control, and the first thing to do is to create one of these and register it. Let's say, for example, that we want to determine access using the current user's roles. First you create a class that implements `Ordermind\LogicalPermissions\PermissionTypeInterface` like this: ``` use Ordermind\LogicalPermissions\PermissionTypeInterface; class MyPermissionType implements PermissionTypeInterface { public static function getName() { return 'role'; } public function checkPermission($role, $context) { $access = FALSE; if(!empty($context['user']['roles'])) { $access = in_array($role, $context['user']['roles']); } return $access; } } ``` Now we have implemented the two required methods - getName() and checkPermission() - and created a simple example for checking a role for a user. The name of the permission type is going to be used later as a key in your permission tree, and the checkPermission() method is where you, in this case, check whether the current user has a role or not. Once you have created a permission type you can register it like this: ``` use Ordermind\LogicalPermissions\AccessChecker; $permissionType = new MyPermissionType(); $accessChecker = new AccessChecker(); $permissionTypeCollection = $accessChecker->getPermissionTypeCollection(); $permissionTypeCollection->add($permissionType); ``` #### Check access [](#check-access) Now everything is set and you can check the access for a user based on their roles: ``` $permissions = [ 'role' => 'admin', // The key 'role' here is the name of your permission type ]; $user = ['roles' => ['admin', 'sales']]; $access = $accessChecker->checkAccess($permissions, ['user' => $user]); // TRUE ``` ### Permission trees [](#permission-trees) In the previous example, we had a variable called `$permissions` that looked like this: ``` $permissions = [ 'role' => 'admin', ]; ``` This is an example of a **permission tree**. A permission tree is a hierarchical combination of permissions that is evaluated in order to determine access for a specific action. Let's say for example that you want to restrict access for updating a user. You'd like only users with the role "admin" to be able to update any user, but users should also be able to update their own user data (or at least some of it). With the format that this library provides, these conditions could be expressed elegantly in a permission tree as such: ``` [ 'OR' => [ 'role' => 'admin', 'flag' => 'is_author', ], ] ``` In this example `role` and `flag` are the evaluated permission types. For this example to work you will need to register the permission types 'role' and 'flag' according to the previous guide. ### Bypassing access checks [](#bypassing-access-checks) This library also supports rules for bypassing access checks completely for superusers. In order to use this functionality you first need to create a class that implements `Ordermind\LogicalPermissions\BypassAccessCheckerInterface` like this: ``` use Ordermind\LogicalPermissions\BypassAccessCheckerInterface; class MyBypassAccessChecker implements BypassAccessCheckerInterface { public function checkBypassAccess($context) { $bypassAccess = FALSE; if($context['user']['id'] == 1) { $bypassAccess = TRUE; } return $bypassAccess; } } ``` Then you can register it like this: ``` $bypassAccessChecker = new MyBypassAccessChecker(); $accessChecker->setBypassAccessChecker($bypassAccessChecker); ``` From now on, every time you call `$accessChecker->checkAccess()` the user with the id 1 will be exempted so that no matter what the permissions are, they will always be granted access. If you want to make exceptions, you can do so by adding `'NO_BYPASS' => TRUE` to the first level of a permission tree. You can even use permissions as conditions for `NO_BYPASS`. Examples: ``` //Disallow access bypassing [ 'NO_BYPASS' => TRUE, 'role' => 'editor', ] ``` ``` //Disallow access bypassing only if the user is an admin [ 'NO_BYPASS' => [ 'role' => 'admin', ], 'role' => 'editor', ] ``` Logic gates ----------- [](#logic-gates) Currently supported logic gates are [AND](#and), [NAND](#nand), [OR](#or), [NOR](#nor), [XOR](#xor) and [NOT](#not). You can put logic gates anywhere in a permission tree and nest them to your heart's content. All logic gates support only an array as their value, except the NOT gate which has special rules. If an array of values does not have a logic gate as its key, an OR gate will be assumed. ### AND [](#and) A logic AND gate returns true if all of its children return true. Otherwise it returns false. Examples: ``` //Allow access only if the user is both an editor and a sales person [ 'role' => [ 'AND' => ['editor', 'sales'], ], ] ``` ``` //Allow access if the user is both a sales person and the author of the document [ 'AND' => [ 'role' => 'sales', 'flag' => 'is_author', ], ] ``` ### NAND [](#nand) A logic NAND gate returns true if one or more of its children returns false. Otherwise it returns false. Examples: ``` //Allow access by anyone except if the user is both an editor and a sales person [ 'role' => [ 'NAND' => ['editor', 'sales'], ], ] ``` ``` //Allow access by anyone, but not if the user is both a sales person and the author of the document. [ 'NAND' => [ 'role' => 'sales', 'flag' => 'is_author', ], ] ``` ### OR [](#or) A logic OR gate returns true if one or more of its children returns true. Otherwise it returns false. Examples: ``` //Allow access if the user is either an editor or a sales person, or both. [ 'role' => [ 'OR' => ['editor', 'sales'], ], ] ``` ``` //Allow access if the user is either a sales person or the author of the document, or both [ 'OR' => [ 'role' => 'sales', 'flag' => 'is_author', ], ] ``` ### Shorthand OR [](#shorthand-or) As previously mentioned, any array of values that doesn't have a logic gate as its key is interpreted as belonging to an OR gate. In other words, this permission tree: ``` [ 'role' => ['editor', 'sales'], ] ``` is interpreted exactly the same way as this permission tree: ``` [ 'role' => [ 'OR' => ['editor', 'sales'], ], ] ``` ### NOR [](#nor) A logic NOR gate returns true if all of its children returns false. Otherwise it returns false. Examples: ``` //Allow access if the user is neither an editor nor a sales person [ 'role' => [ 'NOR' => ['editor', 'sales'], ], ] ``` ``` //Allow neither sales people nor the author of the document to access it [ 'NOR' => [ 'role' => 'sales', 'flag' => 'is_author', ], ] ``` ### XOR [](#xor) A logic XOR gate returns true if one or more of its children returns true and one or more of its children returns false. Otherwise it returns false. An XOR gate requires a minimum of two elements in its value array. Examples: ``` //Allow access if the user is either an editor or a sales person, but not both [ 'role' => [ 'XOR' => ['editor', 'sales'], ], ] ``` ``` //Allow either sales people or the author of the document to access it, but not if the user is both a sales person and the author [ 'XOR' => [ 'role' => 'sales', 'flag' => 'is_author', ], ] ``` ### NOT [](#not) A logic NOT gate returns true if its child returns false, and vice versa. The NOT gate is special in that it supports either a string or an array with a single element as its value. Examples: ``` //Allow access for anyone except editors [ 'role' => [ 'NOT' => 'editor', ], ] ``` ``` //Allow access for anyone except the author of the document [ 'NOT' => [ 'flag' => 'is_author', ], ] ``` Boolean Permissions ------------------- [](#boolean-permissions) Boolean permissions are a special kind of permission. They can be used for allowing or disallowing access for everyone (except those with bypass access). They are not allowed as descendants to a permission type and they may not contain children. Both true booleans and booleans represented as uppercase strings are supported. Of course a simpler way to allow access to everyone is to not define any permissions at all for that action, but it might be nice sometimes to explicitly allow access for everyone. Examples: ``` //Allow access for anyone [ TRUE, ] //Using a boolean without an array is also permitted TRUE ``` ``` //Example with string representation [ 'TRUE', ] //Using a string representation without an array is also permitted 'TRUE' ``` ``` //Deny access for everyone except those with bypass access [ FALSE, ] //Using a boolean without an array is also permitted FALSE ``` ``` //Example with string representation [ 'FALSE', ] //Using a string representation without an array is also permitted 'FALSE' ``` ``` //Deny access for everyone including those with bypass access [ FALSE, 'NO_BYPASS' => TRUE, ] ``` API Documentation ================= [](#api-documentation) Table of Contents ----------------- [](#table-of-contents) - [AccessChecker](#accesschecker) - [setPermissionTypeCollection](#setpermissiontypecollection) - [getPermissionTypeCollection](#getpermissiontypecollection) - [setBypassAccessChecker](#setbypassaccesschecker) - [getBypassAccessChecker](#getbypassaccesschecker) - [getValidPermissionKeys](#getvalidpermissionkeys) - [checkAccess](#checkaccess) - [PermissionTypeCollection](#permissiontypecollection) - [add](#add) - [remove](#remove) - [has](#has) - [get](#get) - [toArray](#toarray) AccessChecker ------------- [](#accesschecker) Checks access based on registered permission types, a permission tree and a context. - Full name: \\Ordermind\\LogicalPermissions\\AccessChecker - This class implements: \\Ordermind\\LogicalPermissions\\AccessCheckerInterface ### setPermissionTypeCollection [](#setpermissiontypecollection) Sets the permission type collection. ``` AccessChecker::setPermissionTypeCollection( \Ordermind\LogicalPermissions\PermissionTypeCollectionInterface $permissionTypeCollection ): \Ordermind\LogicalPermissions\AccessCheckerInterface ``` **Parameters:** ParameterTypeDescription`$permissionTypeCollection`**\\Ordermind\\LogicalPermissions\\PermissionTypeCollectionInterface**--- ### getPermissionTypeCollection [](#getpermissiontypecollection) Gets the permission type collection. ``` AccessChecker::getPermissionTypeCollection( ): \Ordermind\LogicalPermissions\PermissionTypeCollectionInterface|NULL ``` --- ### setBypassAccessChecker [](#setbypassaccesschecker) Sets the bypass access checker. ``` AccessChecker::setBypassAccessChecker( \Ordermind\LogicalPermissions\BypassAccessCheckerInterface $bypassAccessChecker ): \Ordermind\LogicalPermissions\AccessCheckerInterface ``` **Parameters:** ParameterTypeDescription`$bypassAccessChecker`**\\Ordermind\\LogicalPermissions\\BypassAccessCheckerInterface**--- ### getBypassAccessChecker [](#getbypassaccesschecker) Gets the bypass access checker. ``` AccessChecker::getBypassAccessChecker( ): \Ordermind\LogicalPermissions\BypassAccessCheckerInterface|NULL ``` --- ### getValidPermissionKeys [](#getvalidpermissionkeys) Gets all keys that can be used in a permission tree. ``` AccessChecker::getValidPermissionKeys( ): array ``` **Return Value:** Valid permission keys. --- ### checkAccess [](#checkaccess) Checks access for a permission tree. ``` AccessChecker::checkAccess( array|string|boolean $permissions, array|object|NULL $context = NULL, boolean $allowBypass = TRUE ): boolean ``` **Parameters:** ParameterTypeDescription`$permissions`**array|string|boolean**The permission tree to be evaluated.`$context`**array|object|NULL**(optional) A context that could for example contain the evaluated user and document. Default value is NULL.`$allowBypass`**boolean**(optional) Determines whether bypassing access should be allowed. Default value is TRUE.**Return Value:** TRUE if access is granted or FALSE if access is denied. --- PermissionTypeCollection ------------------------ [](#permissiontypecollection) Collection of permission types. - Full name: \\Ordermind\\LogicalPermissions\\PermissionTypeCollection - This class implements: \\Ordermind\\LogicalPermissions\\PermissionTypeCollectionInterface ### add [](#add) Adds a permission type to the collection. ``` PermissionTypeCollection::add( \Ordermind\LogicalPermissions\PermissionTypeInterface $permissionType, boolean $overwriteIfExists = FALSE ): \Ordermind\LogicalPermissions\PermissionTypeCollectionInterface ``` **Parameters:** ParameterTypeDescription`$permissionType`**\\Ordermind\\LogicalPermissions\\PermissionTypeInterface**`$overwriteIfExists`**boolean**(optional) If the permission type already exists in the collection, it will be overwritten if this parameter is set to TRUE. If it is set to FALSE, Ordermind\\LogicalPermissions\\Exceptions\\PermissionTypeAlreadyExistsException will be thrown. Default value is FALSE.--- ### remove [](#remove) Removes a permission type by name from the collection. If the permission type cannot be found in the collection, nothing happens. ``` PermissionTypeCollection::remove( string $name ): \Ordermind\LogicalPermissions\PermissionTypeCollectionInterface ``` **Parameters:** ParameterTypeDescription`$name`**string**The name of the permission type.--- ### has [](#has) Checks if a permission type exists in the collection. ``` PermissionTypeCollection::has( string $name ): boolean ``` **Parameters:** ParameterTypeDescription`$name`**string**The name of the permission type.--- ### get [](#get) Gets a permission type by name. If the permission type cannot be found, NULL is returned. ``` PermissionTypeCollection::get( string $name ): \Ordermind\LogicalPermissions\PermissionTypeInterface|NULL ``` **Parameters:** ParameterTypeDescription`$name`**string**The name of the permission type.--- ### toArray [](#toarray) Returns a PHP array representation of this collection. ``` PermissionTypeCollection::toArray( ): array ``` --- ### Health Score 29 — LowBetter than 60% of packages Maintenance20 Infrequent updates — may be unmaintained Popularity20 Limited adoption so far Community10 Small or concentrated contributor base Maturity54 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~45 days Recently: every ~56 days Total 6 Last Release 1949d ago Major Versions 1.x-dev → 2.1.22020-05-26 2.x-dev → 3.0.0-alpha62021-01-06 PHP version history (2 changes)1.2.13PHP >=5.6 3.0.0-alpha6PHP ^7.4 ### Community Maintainers ![](https://www.gravatar.com/avatar/a32e0ec4e07de222a7500708069d99725013c9ed8b4f2e81a56da73b7f40b793?d=identicon)[ordermind](/maintainers/ordermind) --- Top Contributors [![facine](https://avatars.githubusercontent.com/u/78108?v=4)](https://github.com/facine "facine (1 commits)") --- Tags permissionsphppermissions ### Embed Badge ![Health badge](/badges/ordermind-logical-permissions/health.svg) ``` [![Health](https://phpackages.com/badges/ordermind-logical-permissions/health.svg)](https://phpackages.com/packages/ordermind-logical-permissions) ``` ### Alternatives [spatie/laravel-permission Permission handling for Laravel 12 and up 12.9k89.8M1.0k](/packages/spatie-laravel-permission)[santigarcor/laratrust This package provides a flexible way to add Role-based Permissions to Laravel 2.3k5.4M42](/packages/santigarcor-laratrust)[bezhansalleh/filament-shield Filament support for `spatie/laravel-permission`. 2.8k2.9M88](/packages/bezhansalleh-filament-shield)[jeremykenedy/laravel-roles A Powerful package for handling roles and permissions in Laravel. Supports Laravel 5.3 up to 12. 1.0k826.8k6](/packages/jeremykenedy-laravel-roles)[beatswitch/lock A flexible, driver based Acl package for PHP 5.4+ 870304.7k2](/packages/beatswitch-lock)[pktharindu/nova-permissions Laravel Nova Grouped Permissions (ACL) 136387.1k](/packages/pktharindu-nova-permissions) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)