A free and open-source book on ZF3 for beginners

17.2. Introduction to RBAC

ZF3 provides a special component named Zend\Permissions\Rbac which implements a container for roles and permissions.

To install the Zend\Permissions\Rbac component in your web application, type the following command:

php composer.phar require zendframework/zend-permissions-rbac

17.2.1. Roles and Permissions

A role is a group of users. For example, in a Blog application, there may be the following roles: Viewer, Author, Editor, and Administrator.

Table 17.1. Example roles in a Blog website
Role Name Description
Viewer Can read any post and can do nothing else.
Author Can view posts plus create a post, edit it and finally publish it.
Editor Can view posts plus edit and publish any post.
Administrator Can do anything a Viewer and Editor can do plus delete posts.

A user may be assigned a role or several roles at once. For example, user John may be a Viewer and Editor at the same time.

A role may inherit permissions from other roles. In other words, roles may be organized into an hierarchy when parent roles inherit permissions of child roles. For example, in our Blog application, Administrator role would inherit permissions from Editor role (see figure 17.1 below). This is because Administrator can do the same things as Editor plus delete posts. Editor and Author roles would inherit permissions from the Viewer role.

Figure 17.1 Role hierarchy in a Blog website Figure 17.1 Role hierarchy in a Blog website

A role may be assigned with several permissions. A permission is a single typical action in the system. Here are several examples of permissions in a Blog website:

Table 17.2. Example permissions in a Blog website
Permission Name Description
post.view View any post.
post.edit Edit any post.
post.own.edit Edit only owned posts.
post.publish Publish any post.
post.own.publish Publish only owned post.
post.delete Delete any post.

For example, the Viewer role would be assigned the post.view permission. The Editor role would be assigned the post.edit and post.publish permissions. The Author role would be assigned with the post.own.edit and post.own.publish permissions. And the role Administrator would be assigned with the post.delete permission.

17.2.2. RBAC Container

In ZF3, you can use the Rbac class living in Zend\Permissions\Rbac namespace as a simple container for your roles and permissions. With this container, you store your roles in memory organized in an hierarchy and assigned with permissions.

For example, let's create an Rbac container for the Blog application and fill it with roles and permissions:

use Zend\Permissions\Rbac\Rbac;

// Create Rbac container.
$rbac = new Rbac();

// The following is to tell Rbac to create some parent roles if not exist yet

// Create role hierarchy
$rbac->addRole('Viewer', ['Editor', 'Author']);
$rbac->addRole('Editor', ['Administrator']);

// Assign permissions to the Viewer role.

// Assign permissions to the Author role.

// Assign permissions to the Editor role.

// Assign permissions to the Administrator role.

As you can see, a role is added to the Rbac container with the help of the addRole() method. The addRole() method takes two arguments: the name of the role to be created, and the name(s) of its parent role(s). If the parent roles do not exist yet, they are created automatically (for that purpose we use the setCreateMissingRoles() method).

Permissions are assigned to the created role with the help of role's addPermission() method.

17.2.3. Checking Permissions

When you have an Rbac container set up, you can query if the role has certain permission with the isGranted() method, as follows:

// The following will return false, because the Viewer can't delete posts
$rbac->isGranted('Viewer', 'post.delete');

// The following will return true, because admins can delete posts
$rbac->isGranted('Administrator', 'post.delete');

The isGranted() method checks the role and its children and looks for the given permission. If it finds the permission, it returns true; otherwise false.