PHPackages                             tmaiaroto/li3\_access - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication &amp; Authorization](/categories/authentication)
4. /
5. tmaiaroto/li3\_access

ActiveLithium-library[Authentication &amp; Authorization](/categories/authentication)

tmaiaroto/li3\_access
=====================

A simple library for user access control.

5487.2k↑57%21[3 issues](https://github.com/tmaiaroto/li3_access/issues)[2 PRs](https://github.com/tmaiaroto/li3_access/pulls)PHP

Since Dec 19Pushed 10y ago4 watchersCompare

[ Source](https://github.com/tmaiaroto/li3_access)[ Packagist](https://packagist.org/packages/tmaiaroto/li3_access)[ RSS](/packages/tmaiaroto-li3-access/feed)WikiDiscussions master Synced 2d ago

READMEChangelogDependenciesVersions (1)Used By (0)

Access control library for the Lithium framework.
=================================================

[](#access-control-library-for-the-lithium-framework)

Installation
------------

[](#installation)

Checkout the code to either of your library directories:

```
cd libraries
git clone https://github.com/tmaiaroto/li3_access.git

```

Include the library in in your `/app/config/bootstrap/libraries.php`

```
Libraries::add('li3_access');

```

Usage
-----

[](#usage)

You must configure the adapter you wish to use first, but once you have it configured it's fairly simple to use.

```
$access = Access::check('access_config_name', $this->request, Auth::check('auth_config_name'));
if(!empty($access)) {
	$this->redirect($access['redirect']);
}

```

If the request validates correctly based on your configuration then `Access::check()` will return an empty `array()` otherwise it will return an array with two keys; `message` and `redirect`. These values are built into the Access class but you can override them by passing them as `$options` to all three of the adapters in this repository.

Configuration
-------------

[](#configuration)

In this repository there are three adapters. All three work in a slightly different way.

### Simple Adapter

[](#simple-adapter)

The simple adapter is exactly what it says it is. The check method only checks that the data passed to is not empty and as a result the configuration is trivial.

```
Access::config(
	'simple' => array('adapter' => 'Simple')
);

```

And that's it!

### Rules Adapter

[](#rules-adapter)

This adapter effectively allows you to tell it how it should work. It comes with a few preconfigured rules by default but it's very simple to add your own. Its configuration is the same as the `Simple` adapter if you only want to use the built in methods.

```
Access::config(
	'rules' => array('adapter' => 'Rules')
);

```

Then to deny all requests from the authenticated user.

```
$access = Access::check('rules', Auth::check('auth_config_name'), $this->request, array('rule' => 'denyAll'));
if(!empty($access)) {
	$this->redirect($access['redirect']);
}

```

There are four built in rules; allowAll, denyAll, allowAnyUser and allowIp, for more information see the adapter itself. However, this adapter is at its most useful when you add your own rules.

```
Access::adapter('custom_rule')->add(function($user, $request, $options) {
	// Your logic here. Just make sure it returns an array.
});

```

Then to use your new rule:

```
$access = Access::check('rules', Auth::check('auth_config_name'), $this->request, array('rule' => 'custom_rule'));

```

One more to go!

### AuthRbac Adapter

[](#authrbac-adapter)

This is the most complex adapter in this repository at this time. It's used for Role Based Access Control. You define a set of roles (or conditions) to match the request against, if the request matches your conditions the adapter then checks to see if the user is authenticated with the appropriate `\lithium\security\Auth` configurations to be granted access.

It's difficult to explain (I hope that's clear enough) so lets look at an example configuration to try and achieve some clarity:

```
$accountsEmpty = Accounts::count();

Access::config(array(
	'auth_rbac' => array(
		'adapter' => 'AuthRbac',
		'roles' => array(
			array(
				'resources' => '*',
				'match' => '*::*'
			),
			array(
				'message' => 'No panel for you!',
				'redirect' => array('library' => 'admin', 'Users::login'),
				'resources' => 'admin',
				'match' => array('library' => 'admin', '*::*')
			),
			array(
				'resources' => '*',
				'match' => array(
					'library' => 'admin', 'Users::login',
					function($request, &$options) {
						return !empty($request->data);
					}
				),
				'allow' => function($request, &$options) use ($accountsEmpty) {
					if ($accountsEmpty) {
						$options['message'] = 'No accounts exist yet!';
					}
					return $accountsEmpty;
				}
			),
			array(
				'resources' => '*',
				'match' => array('library' => 'admin', 'Users::logout')
			)
		)
	)
));

```

First we tell it which adapter to use:

```
'adapter' => 'AuthRbac',

```

Then we set the roles array. This array is required if you want to use this adapter. The roles are evaluated from top to bottom. So if a role at the bottom contradicts one closer to the top, the bottom will take precedence.

#### There are five possible options you can specify for a single role.

[](#there-are-five-possible-options-you-can-specify-for-a-single-role)

`'message'`

Overwrites the default message to display if the rule matches the request and is disallowed.

`'redirect'`

Overwrites the default redirect to use if the rule matches the request and is dissallowed.

`'match'`

A rule used to match this role against the request object passed from the `check()` method. You may use a parameters array where you explicitly set the parameter/value pairs, a shorthand syntax very similar to the one you use when generating urls or even a closure. Without match being set the role will always deny access.

In the closure example configuration:

```
'match' => array(
	'library' => 'admin', 'Users::login',
	function($request, &$roleOptions) {
		return !empty($request->data);
	}
)

```

Not only must the library, controller and action match but the closure must return true. So this role will only apply to this request if all of the request params match and the request data is set.

`'resources'`

A string or an array of auth configuration keys that this rule applies to. The string `*` denotes everyone, even those who are not authenticated. A string of `admin` will validate anyone who can be authenticated against the user defined `admin` Auth configuration. An array of configuration keys does the same but you can apply it to multiple Auth configurations in one go.

Assuming we have an Auth configuration like so:

```
Auth::config(array(
	'user' => array(
		'adapter' => 'Form',
		'model' => 'User',
		'fields' => array('email' => 'email', 'password' => 'password'),
		'scope' => array('active' => true)
	),
	'editor' => array(
		'adapter' => 'Form',
		'model' => 'Editor',
		'fields' => array('email' => 'email', 'password' => 'password'),
		'scope' => array('active' => true, 'group' => 1)
	),
	'customer' => array(
		'adapter' => 'Form',
		'model' => 'Customer',
		'fields' => array('email' => 'email', 'password' => 'password'),
		'scope' => array('active' => true, 'group' => 2)
	)
));

```

Setting `'resources' => array('user', 'customer')` would only apply the rule to anyone that could authenticate as a user or customer. Setting `'resource' => '*'` would mean that all of these auth configurations and people that are not authenticated would have this role applied to them.

`'allow'`

A boolean that if set to false forces a role that would have been granted access to deny access. Much like the 'match' option you can also pass a closure to this option. This way you can blacklist every resource and then whitelist resources manually. Also by passing a closure you can deny access based upon the request.

Finally, if you pass either $request or $options you can modify their values at runtime.

### Filters

[](#filters)

The Access::check() method is filterable. You can apply the filters in the configuration like so:

```
Access::config(array(
	'rule_based' => array(
		'adapter' => 'Rules',
		'filters' => array(
			function($self, $params, $chain) {
				// Filter logic goes here
				return $chain->next($self, $params, $chain);
			}
		)
	)
));

```

Credits
-------

[](#credits)

### Tom Maiaroto

[](#tom-maiaroto)

The original author of this library.

Github: [tmaiaroto](https://github.com/tmaiaroto/li3_access)

Website: [Shift8 Creative](http://www.shift8creative.com)

Weluse
------

[](#weluse)

Wrote the original Rbac adapter.

Github: [Marc Schwering](https://github.com/m4rcsch/li3_access) [weluse](https://github.com/weluse/li3_access)

Website: [Weluse](http://www.weluse.de)

rich97
------

[](#rich97)

Modified the original Rbac adapter, added some tests and wrote this version of the documentation.

Github: [rich97](https://github.com/rich97/li3_access)

Website: [Enrich.it](http://www.enrich.it)

###  Health Score

34

—

LowBetter than 75% of packages

Maintenance19

Infrequent updates — may be unmaintained

Popularity46

Moderate usage in the ecosystem

Community19

Small or concentrated contributor base

Maturity41

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 51.9% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

### Community

Maintainers

![](https://www.gravatar.com/avatar/32fc362d025390246077cc4da943e8d3ddcfb233272acf54442a9aee7b75cbf9?d=identicon)[tmaiaroto](/maintainers/tmaiaroto)

---

Top Contributors

[![rich97](https://avatars.githubusercontent.com/u/173989?v=4)](https://github.com/rich97 "rich97 (27 commits)")[![tmaiaroto](https://avatars.githubusercontent.com/u/202653?v=4)](https://github.com/tmaiaroto "tmaiaroto (12 commits)")[![nateabele](https://avatars.githubusercontent.com/u/18288?v=4)](https://github.com/nateabele "nateabele (8 commits)")[![mariano](https://avatars.githubusercontent.com/u/18598?v=4)](https://github.com/mariano "mariano (3 commits)")[![joedevon](https://avatars.githubusercontent.com/u/138038?v=4)](https://github.com/joedevon "joedevon (2 commits)")

### Embed Badge

![Health badge](/badges/tmaiaroto-li3-access/health.svg)

```
[![Health](https://phpackages.com/badges/tmaiaroto-li3-access/health.svg)](https://phpackages.com/packages/tmaiaroto-li3-access)
```

###  Alternatives

[vitalybaev/laravel5-dkim

Laravel 5/6 package for signing outgoing messages with DKIM.

3163.1k](/packages/vitalybaev-laravel5-dkim)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
