PHPackages                             srigi/ipub-security - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication &amp; Authorization](/categories/authentication)
4. /
5. srigi/ipub-security

ActiveLibrary[Authentication &amp; Authorization](/categories/authentication)

srigi/ipub-security
===================

ACL permissions setter &amp; checker for Nette Framework

1.3.7(9y ago)21.6k3[1 issues](https://github.com/srigi/ipub-security/issues)[2 PRs](https://github.com/srigi/ipub-security/pulls)BSD-3-ClausePHPPHP &gt;=5.4

Since Nov 9Pushed 8y agoCompare

[ Source](https://github.com/srigi/ipub-security)[ Packagist](https://packagist.org/packages/srigi/ipub-security)[ Docs](https://github.com/srigi/ipub-security)[ RSS](/packages/srigi-ipub-security/feed)WikiDiscussions master Synced today

READMEChangelogDependencies (8)Versions (13)Used By (0)

srigi/ipub-security
===================

[](#srigiipub-security)

[![Build Status](https://camo.githubusercontent.com/d5017099af8266c94f49b7868f3ab115e8f38d909efcdaeffae6fb6ae1eba4d6/68747470733a2f2f6170692e7472617669732d63692e6f72672f73726967692f697075622d73656375726974792e7376673f6272616e63683d6d6173746572)](https://travis-ci.org/srigi/ipub-security)[![Latest Stable Version](https://camo.githubusercontent.com/f42c67710bc32e5eb15c186bd6a652e9f4cd5360d8be755190b8c5d68457e1b6/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f73726967692f697075622d73656375726974792e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/srigi/ipub-security)[![Composer Downloads](https://camo.githubusercontent.com/c3acf6a3c59780da8e449cd6a3caa903c894b64b1e6162f5398193e168de489e/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f73726967692f697075622d73656375726974792e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/srigi/ipub-security)

ACL permissions setter &amp; checker for [Nette Framework](http://nette.org/).

`srigi/ipub-security` is a library that allows easy configuration of Nette Framework ACL system. It supports roles &amp; resources inheritance and also permission assertions are supported.

Installation
------------

[](#installation)

The best way to install `srigi/ipub-security` is by using [Composer](http://getcomposer.org/). To get the latest version of the library run this command at the root of your project:

```
$ composer require srigi/ipub-security

```

Or you can specify dependency by hand:

```
{
	"require": {
		"srigi/ipub-security": "^1.3.0"
	}
}
```

Setup
-----

[](#setup)

After installation you need to register the DI extension. If your'e using Nette 2.3, you can do that by configuration:

```
extensions:
	permission: IPub\Security\DI\SecurityExtension
```

I case of Nette 2.2 register extension in your `bootstrap.php`:

```
$configurator = new Nette\Configurator;
// ...some other code

IPub\Security\DI\SecurityExtension::register($configurator);
```

### The ACL system 101

[](#the-acl-system-101)

Nette ACL system brings some terminology you should know befor continuing. First there are *resources* that one (a *role*) wants to access (*privilege*). This forms a *permission*. Example is the best teacher:

**resources** - `intranet`, `salesModule`, `serversDashboard`, `databaseServersDashboard`

**roles** - `admininstrator`, `guest`, `authenticated`, `employee`, `sales`, `engineer`

**privileges** - `access`, `powerOn`, `powerOff`, `reboot`

**permission** - this is just abstract concept when you combine above three entities:

- `authenticated` can `access` the `intranet`
- `engineer` can `reboot` the `serversDashboard`
- `administrator` can do `ALL` on `ALL`

*resources* and *roles* can inherit from each other and create hierarchies:

```
    intranet
    ├ salesModule
    └ serversDashboard
      └ databaseServersDashboard

```

```
    administrator
    guest
    └ authenticated
      └ employee
        ├ sales
        └ engineer
          └ backend-engineer

```

If there is a permission (combination of `resource`, `role` and `privilege`) registered, this inherits down. In our little example `engineer` can `access` the `intranet` because is inheriting this permission from `authenticated`.

More on this can be found in [access control](https://doc.nette.org/en/2.3/access-control) chapter of Nette Framework documentation.

### Creating permissions

[](#creating-permissions)

Permission is represented by instance of `IPub\Security\Entities\IPermission`. Such instance is providing a `IPub\Security\Entities\IResource` resource instance, a privilege (defined as string) and assertion (defined as callable). All three components of the permission are optional.

Permissions definitions must be provided by service implementing `IPub\Security\Providers\IPermissionsProvider`. Library **srigi/ipub-security** have example implementation of such provider you can use in your project. Or you can write your own.

Defining set of permissions with our `PermissionsProvider` is very easy:

```
class MyPermissionsProvider extends IPub\Security\Providers\PermissionsProvider
{
	public function __construct()
	{
		$intranet = $this->addResource('intranet');
		$this->addPermission($intranet, Nette\Security\IAuthorizator::ALL);
		$this->addPermission($intranet, 'access');
		$this->addPermission($intranet, 'update');

		$salesModule = $this->addResource('salesModule', $this->getResource('intranet'));
		$this->addPermission($salesModule, 'access');
		$this->addPermission($salesModule, 'edit', function($acl, $role, $resource, $privilege) {
			// ...code of permission assertion
		});

		// ... more permissions definitions
	}
}
```

Now just register your permission provider:

```
services:
	- MyPermissionsProvider
```

### Creating roles &amp; assigning permissions

[](#creating-roles--assigning-permissions)

Similarly as permission also roles have its own interface and needs a provider service. This provider should also assign permissions to the role:

```
class MyRolesProvider extends IPub\Security\Providers\RolesProvider
{
	/**
	 * @param MyPermissionsProvider $permissionsProvider
	 */
	public function __construct(MyPermissionsProvider $permissionsProvider)
	{
		$permissions = $permissionsProvider->getPermissions();

		$this->addRole(Entities\IRole::ROLE_ADMINISTRATOR);
		$this->addRole(Entities\IRole::ROLE_ANONYMOUS);
		$this->addRole(Entities\IRole::ROLE_AUTHENTICATED, $this->getRole(Entities\IRole::ROLE_ANONYMOUS), $permissions['intranet:access']);

		$this->addRole('employee', $this->getRole(Entities\IRole::ROLE_AUTHENTICATED));
		$this->addRole('sales', $this->getRole('employee'), [
			$permissions['salesModule:'],
		]);
		$this->addRole('engineer', $this->getRole('employee'), [
			$permissions['servers:access'],
		]);

		// ...more roles & permissions assignments
	}
```

Don't forget to register your roles provider:

```
services:
	- MyRolesProvider
```

Now your'e set!

Checking permissions
--------------------

[](#checking-permissions)

Library provide a PHP trait, which enables pleasant quering Nette ACL system we've just configured. Please note that traits are available from PHP 5.4, for older versions of PHP you must copy/paste trait contents. This trait is effective only in presenter(s).

```
class BasePresenter extends Nette\Application\UI\Presenter
{
	use IPub\Security\TPermission;
}
```

### Using annotations

[](#using-annotations)

You can fine-tune checking logic by this set of annotations:

```
/**
 * @Secured
 * @Secured\User(loggedIn)
 * @Secured\Resource(RESOURCE_NAME)
 * @Secured\Privilege(PRIVILEGE_NAME)
 * @Secured\Permission(RESOURCE_NAME: PRIVILEGE_NAME)
 * @Secured\Role(ROLE_NAME)
 */
class IntranetPresenter extends BasePresenter
{
	/**
	 * @Secured
	 * @Secured\Permission(RESOURCE_NAME: PRIVILEGE_NAME)
	 */
	public function renderDefault()
	{
	}
}
```

#### `@Secured`

[](#secured)

This annotation instruct security system that presenter is subject to the permissions check. Without it permission checking will be skipped completely!

#### `@Secured\User`

[](#secureduser)

This annotation accept value `loggedIn` or `guest`. Access to any `resource` and any `privilege` is controled only by login state of the current user.

---

Next annotations are working over `Nette\Security\User` roles assigned during login process.

#### `@Secured\Resource`

[](#securedresource)

Access is granted only if role is allowed to access specified `resource`.

#### `@Secured\Privilege`

[](#securedprivilege)

This grand access only if role is allowed to access specified `privilege`.

#### `@Secured\Permission`

[](#securedpermission)

Combination of above two - access is granted only if role have `resource: privilege` permission.

#### `@Secured\Role`

[](#securedrole)

Grand access only to specified `role`.

On every place where `*_NAME` applies, you can specify multiple names separated by comma.

### Using in presenters, components, models, etc.

[](#using-in-presenters-components-models-etc)

Permission check can be performed also manually. You just need `Nette\Security\User` instance on which you call:

```
$user->isAllowed('resource', 'privilege');
```

`TRUE` of `FALSE` is returned respecively.

### Using in Latte

[](#using-in-latte)

In latte you can use two special macros.

```
This text is for everyone...

{ifAllowed resource => 'intranet', privilege => 'access'}
	But this one is only for special persons...
{/ifAllowed}
```

Macro `ifAllowed` is very similar to annotations definitions. You can use here one or all of available parameters: user, resource, privilege, permission or role.

This macro can be also used as **n:** macro:

```
This text is for everyone...
 'intranet', privilege => 'access'>
	But this one is only for special persons...
```

And second special macro is for links:

```
Link to Intranet...
```

Macro **n:allowedHref** is expecting only valid link and in case user doesn't have permission to that resource, link isn't displayed.

Redirect to login page
----------------------

[](#redirect-to-login-page)

If user is not logged-in and tries to access secured resource a default action is throwing the `Nette\Application\ForbiddenRequestException`. However if you configure so called `redirectUrl`, request will be redirected to this url (login page) when this situation occurs.

Also all parameters of the original request will be stored. That way you are able to restore original request and be redirected to secured resource after successful login. To configure `redirectUrl` add this to your configuration:

```
permission:
	redirectUrl: 'Login:default'

```

To restore the original request prepare persistent param `backlink` in the presenter and use it in login procedure (callback)

```
class LoginPresenter
{
	/** @persistent */
	public $backlink;

	public function processLoginForm($form)
	{
		// try
		$this->getUser()->login($form->getValues());
		$this->restoreRequest($this->backlink);
		$this->redirect('Admin:default');
		// catch
	}
}
```

TODO
----

[](#todo)

- check `IPub\Security\Entities\Permission` constructor types
- make documentation examples to be in sync w/ tests
- tests for `IPub\Security\Providers\*`
- latte macros tests
- check annotations test logic
- permissions-assertions tests/doc
- `RolesProvider::allow`, `RolesProvider::deny` methods

History
-------

[](#history)

- 1.3.4 Add `redirectUrl` functionality
- 1.3.0 Rename `RolesModel` and `IPub\Security\Models` to `RolesProvider` and `IPub\Security\Providers`
- 1.2.0 Rewrite `Security\Permission` to support resource inheritance &amp; permissions assertions
- 1.1.0 Cloned library into `srigi/ipub-permissions`
- 1.0.1 Added roles inheritance

License
-------

[](#license)

New BSD License or the GNU General Public License (GPL) version 2 or 3, see [license.md](https://github.com/srigi/ipub-security/blob/master/license.md).

###  Health Score

30

—

LowBetter than 62% of packages

Maintenance10

Infrequent updates — may be unmaintained

Popularity20

Limited adoption so far

Community12

Small or concentrated contributor base

Maturity65

Established project with proven stability

 Bus Factor1

Top contributor holds 81.5% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~28 days

Recently: every ~76 days

Total

12

Last Release

3574d ago

### Community

Maintainers

![](https://avatars.githubusercontent.com/u/295197?v=4)[Srigi](/maintainers/srigi)[@srigi](https://github.com/srigi)

---

Top Contributors

[![akadlec](https://avatars.githubusercontent.com/u/1866672?v=4)](https://github.com/akadlec "akadlec (22 commits)")[![martinknor](https://avatars.githubusercontent.com/u/2004222?v=4)](https://github.com/martinknor "martinknor (2 commits)")[![srigi](https://avatars.githubusercontent.com/u/295197?v=4)](https://github.com/srigi "srigi (2 commits)")[![FilipLukac](https://avatars.githubusercontent.com/u/862354?v=4)](https://github.com/FilipLukac "FilipLukac (1 commits)")

---

Tags

nettelibraryannotationsaclpermissionpermissionsannotation

### Embed Badge

![Health badge](/badges/srigi-ipub-security/health.svg)

```
[![Health](https://phpackages.com/badges/srigi-ipub-security/health.svg)](https://phpackages.com/packages/srigi-ipub-security)
```

###  Alternatives

[nette/security

🔑 Nette Security: provides authentication, authorization and a role-based access control management via ACL (Access Control List)

3889.7M331](/packages/nette-security)[nette/web-project

Nette: Standard Web Project

10993.3k](/packages/nette-web-project)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
