PHPackages                             sapl/sapl-php - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication &amp; Authorization](/categories/authentication)
4. /
5. sapl/sapl-php

ActiveSymfony-bundle[Authentication &amp; Authorization](/categories/authentication)

sapl/sapl-php
=============

SAPL Policy Enforcement Point for PHP and Symfony. Streaming attribute-based access control against a SAPL Policy Decision Point over HTTP.

v1.0.0(today)05↑2900%Apache-2.0PHPPHP &gt;=8.3CI passing

Since Jul 1Pushed todayCompare

[ Source](https://github.com/heutelbeck/sapl-php)[ Packagist](https://packagist.org/packages/sapl/sapl-php)[ Docs](https://sapl.io)[ RSS](/packages/sapl-sapl-php/feed)WikiDiscussions main Synced today

READMEChangelog (1)Dependencies (14)Versions (2)Used By (0)

sapl-php
========

[](#sapl-php)

Policy-based authorization for PHP and Symfony. Write access control rules as external SAPL policy files and enforce them at runtime through attributes like `#[PreEnforce]` and `#[PostEnforce]`. Policies can be updated without code changes or redeployment.

How It Works
------------

[](#how-it-works)

Your application marks controller actions or service methods with enforcement attributes. SAPL intercepts the call, sends an authorization subscription to the Policy Decision Point (PDP), and enforces the decision, including any obligations or advice the policy attaches.

```
use Sapl\Symfony\PreEnforce;

#[PreEnforce(action: 'read', resource: 'patient')]
public function getPatient(): array
{
    return ['name' => 'Jane Doe', 'ssn' => '123-45-6789'];
}
```

```
policy "permit doctors to read patient data"
permit
  action == "read";
  "DOCTOR" in subject.roles

```

If the PDP permits, the method runs. If not, an `AccessDeniedException` is thrown. If the decision carries obligations (like access logging or field redaction), they are enforced automatically through registered constraint handlers.

The subject defaults to the authenticated user, and the action and resource to the class and method name. Any attribute field overrides the default, either as a literal or as a Symfony `Expression` evaluated against `{ subject, args, request }`.

What You Get
------------

[](#what-you-get)

SAPL goes beyond simple permit/deny. Decisions can carry obligations that must be fulfilled, advice that should be attempted, and resource transformations that modify return values before they reach the caller. The library handles all of this transparently.

For streaming responses, `#[StreamEnforce]` maintains a live connection to the PDP, so access rights update in real time as policies, attributes, or the environment change. Its `signalTransitions` and `pauseRapDuringSuspend` flags express the suspend, drop, and pause behaviours. Transaction integration rolls back a database write when an obligation fails after it (enable with `transactional: true`).

Data-layer query rewriting narrows results at the database rather than in memory. A policy attaches a `sql:queryRewriting` or `mongo:queryRewriting` obligation, and the matching Doctrine filter rewrites the queries an enforced method issues, fail-closed and narrowing-only. `Sapl\Doctrine\Orm\SaplSqlFilter` covers SQL databases through the Doctrine ORM and `Sapl\Doctrine\Odm\SaplBsonFilter` covers MongoDB through the Doctrine ODM. The obligation is portable: the same `mongo:queryRewriting` policy works unchanged across the Spring, Python, NestJS, and PHP MongoDB integrations.

Getting Started
---------------

[](#getting-started)

Requires PHP 8.3+, Symfony 7.3+, and a SAPL PDP of version 4.1.0 or higher.

```
composer require sapl/sapl-php

```

Register the bundle and point it at your PDP:

```
# config/packages/sapl.yaml
sapl:
    pdp:
        base_url: '%env(SAPL_PDP_URL)%'
    transactional: false
```

The PDP connection is HTTP. An unauthenticated development PDP must stay on loopback; production deployments configure authentication (api-key via `token`, or basic auth via `username` and `secret`) and TLS.

Links
-----

[](#links)

- [Full Documentation](https://sapl.io/docs/latest/)
- [Demo Application](https://github.com/heutelbeck/sapl-php-demos)
- [Report an Issue](https://github.com/heutelbeck/sapl-php/issues)

License
-------

[](#license)

Apache-2.0

###  Health Score

42

—

FairBetter than 88% of packages

Maintenance100

Actively maintained with recent releases

Popularity5

Limited adoption so far

Community6

Small or concentrated contributor base

Maturity48

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Unknown

Total

1

Last Release

0d ago

### Community

Maintainers

![](https://www.gravatar.com/avatar/5cb361a0b2bfe0fdd8669d75fc8c72779558334fd0ac6773ae98ca14a12945e0?d=identicon)[heutelbeck](/maintainers/heutelbeck)

---

Top Contributors

[![heutelbeck](https://avatars.githubusercontent.com/u/6698051?v=4)](https://github.com/heutelbeck "heutelbeck (17 commits)")

---

Tags

symfonysecurityauthorizationaccess-controlabacpepsapl

###  Code Quality

TestsPHPUnit

Static AnalysisPHPStan

Code StylePHP CS Fixer

Type Coverage Yes

### Embed Badge

![Health badge](/badges/sapl-sapl-php/health.svg)

```
[![Health](https://phpackages.com/badges/sapl-sapl-php/health.svg)](https://phpackages.com/packages/sapl-sapl-php)
```

###  Alternatives

[rcsofttech/audit-trail-bundle

Enterprise-grade, high-performance Symfony audit trail bundle. Automatically track Doctrine entity changes with split-phase architecture, multiple transports (HTTP, Queue, Doctrine), and sensitive data masking.

1189.8k](/packages/rcsofttech-audit-trail-bundle)[kimai/kimai

Kimai - Time Tracking

4.8k9.0k1](/packages/kimai-kimai)[sylius/sylius

E-Commerce platform for PHP, based on Symfony framework.

8.5k5.9M728](/packages/sylius-sylius)[sulu/sulu

Core framework that implements the functionality of the Sulu content management system

1.3k1.4M199](/packages/sulu-sulu)[simplesamlphp/simplesamlphp

A PHP implementation of a SAML 2.0 service provider and identity provider.

1.1k13.0M216](/packages/simplesamlphp-simplesamlphp)[web-auth/webauthn-framework

FIDO2/Webauthn library for PHP and Symfony Bundle.

515100.5k3](/packages/web-auth-webauthn-framework)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
