PHPackages programmingarehard/arbiter - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. programmingarehard/arbiter ActiveLibrary[Security](/categories/security) programmingarehard/arbiter ========================== Convenience library to manipulate Symfony ACL's v0.4.0(12y ago)814MITJavaScriptPHP >=5.3.3 Since May 1Pushed 12y ago1 watchersCompare [ Source](https://github.com/dadamssg/arbiter)[ Packagist](https://packagist.org/packages/programmingarehard/arbiter)[ RSS](/packages/programmingarehard-arbiter/feed)WikiDiscussions master Synced 1w ago READMEChangelogDependencies (4)Versions (5)Used By (0) Arbiter ------- [](#arbiter) [![Build Status](https://camo.githubusercontent.com/98f6cca49daf570d697123e5339e093bfff2f9648922afba14b9b6053e87176e/68747470733a2f2f7472617669732d63692e6f72672f646164616d7373672f617262697465722e7376673f6272616e63683d6d6173746572)](https://travis-ci.org/dadamssg/Arbiter)[![Coverage Status](https://camo.githubusercontent.com/efa62dfa72e0ac1993b91f8e5de5deddf29d6326502c7293d763a9adf628ec8f/68747470733a2f2f636f766572616c6c732e696f2f7265706f732f646164616d7373672f617262697465722f62616467652e706e673f6272616e63683d6d6173746572)](https://coveralls.io/r/dadamssg/arbiter?branch=master) > **Note:** Arbiter assumes [Symfony's security component](https://packagist.org/packages/symfony/security) ACL's have already been [set up](http://symfony.com/doc/current/cookbook/security/acl.html). Documentation ------------- [](#documentation) Arbiter makes granting users different permissions for specific objects easy. It does this by hiding the complexity of working with Symfony's security component to manipulate ACL's. You don't need to worry about: ACL's, ACE's, object identities, security identities, mask builders, etc. Read the [generated API documentation](http://dadamssg.github.io/arbiter/) or view code samples below. Updating permissions -------------------- [](#updating-permissions) ``` // get the arbiter $arbiter = $this->get('object.arbiter'); // get a user $user = $this->get('security.context')->getToken()->getUser(); // get an entity $document = $this->get('document.repository')->find(1); // focus the arbiter on an entity $arbiter->setObject($document); // get the current permissions the user has for the $document $permissions = $arbiter->getPermissions($user); // add permissions $permissions ->add('VIEW') ->add('EDIT'); // update permissions for user $arbiter->updatePermissions($user, $permissions); // remove permissions $permissions->remove('EDIT'); // update permissions for user $arbiter->updatePermissions($user, $permissions); ``` > **Note:** Arbiter uses Symfony's [BasicPermissionMap](https://github.com/symfony/Security/blob/master/Acl/Permission/BasicPermissionMap.php) internally. Out of the box, the Arbiter is limited to those permissions and is case-sensitive. Checking permissions -------------------- [](#checking-permissions) ``` // get a permissions object $permissions = $arbiter->newPermissions(array('EDIT')); // focus the arbiter on the entity $arbiter->setObject($project); // check permissions $canEdit = $arbiter->isGranted($user, $permissions); // bool ``` Suggestions ----------- [](#suggestions) Only check against a single permission even though the `Permissions` object can contain several. The security component, by default, will grant access if the user has any one of the permissions contained in the `Permissions` object. For example: ``` // get a permissions object $permissions = $arbiter->newPermissions(array('EDIT', 'OPERATOR')); // focus the arbiter on the entity $arbiter->setObject($document); // check permissions $granted = $arbiter->isGranted($user, $permissions); // bool ``` If the user has an ACE entry for either `EDIT` or `OPERATOR`, access is granted. Checking against multiple permissions at the same time can cause confusion. Gotchas ======= [](#gotchas) Because of the bitmask implementation of Symfony's ACL system, removing permissions isn't as straight-forward as one might think. Consider the following example: ``` // get a permissions object $permissions = $arbiter->newPermissions(array('OPERATOR')); // focus the arbiter on the entity $arbiter->setObject($project); // grant permissions $arbiter->updatePermissions($user, $permissions); // time passes and you need to adjust the user's permissions. // get the permissions the $user currently has for the $project $permissions = $arbiter->getPermissions($user); // remove the DELETE permission $permissions->remove('DELETE'); // update permissions $arbiter->updatePermissions($user, $permissions); ``` Because the `OPERATOR` permission infers the `DELETE` permission in Symfony's security system, one might think you can simply remove it and assume the `$user` has every CRUD permission except `DELETE`. This is false and the wrong way to think about it. The `$user` will still have the `OPERATOR` permission which still includes the `DELETE` permission. Instead, a better approach would be to create a new `Permissions` object with only the explicit permissions the `$user` should hold. This new `Permissions` object should be used in a `$arbiter->updatePermissions($user, $permissions)` method call. Register Arbiter in Symfony's container --------------------------------------- [](#register-arbiter-in-symfonys-container) ``` # services.yml services: object.arbiter: class: ProgrammingAreHard\Arbiter\Domain\ObjectArbiter arguments:[@security.acl.provider] ``` ### Health Score 25 — LowBetter than 37% of packages Maintenance20 Infrequent updates — may be unmaintained Popularity11 Limited adoption so far Community7 Small or concentrated contributor base Maturity51 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~2 days Total 4 Last Release 4393d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/339bdfaf1c3572982585cd78238c5b11a5d15b9f43197ff11e1b54ea1140d2c3?d=identicon)[dadamssg](/maintainers/dadamssg) --- Top Contributors [![dadamssg](https://avatars.githubusercontent.com/u/881986?v=4)](https://github.com/dadamssg "dadamssg (82 commits)") ### Code Quality TestsPHPUnit ### Embed Badge ![Health badge](/badges/programmingarehard-arbiter/health.svg) ``` [![Health](https://phpackages.com/badges/programmingarehard-arbiter/health.svg)](https://phpackages.com/packages/programmingarehard-arbiter) ``` ### Alternatives [defuse/php-encryption Secure PHP Encryption Library 3.9k162.4M214](/packages/defuse-php-encryption)[mews/purifier Laravel 5/6/7/8/9/10 HtmlPurifier Package 2.0k16.7M113](/packages/mews-purifier)[robrichards/xmlseclibs A PHP library for XML Security 41478.1M118](/packages/robrichards-xmlseclibs)[bjeavons/zxcvbn-php Realistic password strength estimation PHP library based on Zxcvbn JS 87117.5M63](/packages/bjeavons-zxcvbn-php)[illuminate/encryption The Illuminate Encryption package. 9229.7M280](/packages/illuminate-encryption)[paragonie/hidden-string Encapsulate strings in an object to hide them from stack traces 7410.6M39](/packages/paragonie-hidden-string) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)