17.2. Introduction to RBAC

ZF3 provides a special component named Zend\Permissions\Rbac which implements a container for roles and permissions.

To install the Zend\Permissions\Rbac component in your web application, type the following command:

php composer.phar require zendframework/zend-permissions-rbac

17.2.1. Roles and Permissions

A role is a group of users. For example, in a Blog application, there may be the following roles: Viewer, Author, Editor, and Administrator.

A user may be assigned a role or several roles at once. For example, user John may be a Viewer and Editor at the same time.

A role may inherit permissions from other roles. In other words, roles may be organized into an hierarchy when parent roles inherit permissions of child roles. For example, in our Blog application, Administrator role would inherit permissions from Editor role (see figure 17.1 below). This is because Administrator can do the same things as Editor plus delete posts. Editor and Author roles would inherit permissions from the Viewer role.

Figure 17.1 Role hierarchy in a Blog website

A role may be assigned with several permissions. A permission is a single typical action in the system. Here are several examples of permissions in a Blog website:

For example, the Viewer role would be assigned the post.view permission. The Editor role would be assigned the post.edit and post.publish permissions. The Author role would be assigned with the post.own.edit and post.own.publish permissions. And the role Administrator would be assigned with the post.delete permission.

17.2.2. RBAC Container

In ZF3, you can use the Rbac class living in Zend\Permissions\Rbac namespace as a simple container for your roles and permissions. With this container, you store your roles in memory organized in an hierarchy and assigned with permissions.

For example, let's create an Rbac container for the Blog application and fill it with roles and permissions:

use Zend\Permissions\Rbac\Rbac;

// Create Rbac container.
$rbac = new Rbac();

// The following is to tell Rbac to create some parent roles if not exist yet
$rbac->setCreateMissingRoles(true);

// Create role hierarchy
$rbac->addRole('Viewer', ['Editor', 'Author']);
$rbac->addRole('Editor', ['Administrator']);
$rbac->addRole('Author');
$rbac->addRole('Administrator');

// Assign permissions to the Viewer role.
$rbac->getRole('Viewer')->addPermission('post.view');

// Assign permissions to the Author role.
$rbac->getRole('Author')->addPermission('post.own.edit');
$rbac->getRole('Author')->addPermission('post.own.publish');

// Assign permissions to the Editor role.
$rbac->getRole('Editor')->addPermission('post.edit');
$rbac->getRole('Editor')->addPermission('post.publish');

// Assign permissions to the Administrator role.
$rbac->getRole('Administrator')->addPermission('post.delete');

As you can see, a role is added to the Rbac container with the help of the addRole() method. The addRole() method takes two arguments: the name of the role to be created, and the name(s) of its parent role(s). If the parent roles do not exist yet, they are created automatically (for that purpose we use the setCreateMissingRoles() method).

Permissions are assigned to the created role with the help of role's addPermission() method.

17.2.3. Checking Permissions

When you have an Rbac container set up, you can query if the role has certain permission with the isGranted() method, as follows:

// The following will return false, because the Viewer can't delete posts
$rbac->isGranted('Viewer', 'post.delete');

// The following will return true, because admins can delete posts
$rbac->isGranted('Administrator', 'post.delete');

The isGranted() method checks the role and its children and looks for the given permission. If it finds the permission, it returns true; otherwise false.