Auth & ACL

Introduction

System’s architecture provides the users’ access to the resources control mechanisms based on RBAC (Role Based Access Control). The RBAC consists of:

Name Description
action Action is like an endpoint of route or activity which user can do or not
role Roles are the groups of users where the user belongs
acl ACL is a map of values of the boolean type determining the relation between action and role, determining whether the role may have authorization to execute the given action

The path of source code is src/core/src/components/acl/ and src/core/src/components/auth/.

Auth

Auth is a set of tools broadening Laravel’s base functionality Illuminate\Auth in order to provide user’s instance and the ascribed groups. The aim of this functionality is to provide measures and tools for efficient users’ access to resources control (ACL - Access Control List). The facade connected with ACL instance is:

Antares\Support\Facades\ACL

In order to use the facade in the application determine the class’ alias in the configuration:

'aliases' => [
    'ACL' => Antares\Support\Facades\ACL::class,
],
Roles

In order to create a new role:

$roleAdmin              = new \Antares\Model\Role();
$roleAdmin->name        = 'administrator';
$roleAdmin->area        = 'administrators';
$roleAdmin->full_name   = 'Administrator';
$roleAdmin->description = 'Manage administration privileges';
$roleAdmin->save();

//or create array method

$role      = new \Antares\Model\Role();
$roleAdmin = $role->create([
    'name'        => 'administrator',
    'area'        => 'administrators',
    'full_name'   => 'Administrator',
    'description' => 'Manage administration privileges'
]);

In order to create a new hierarchic role (having a superior role):

$role      = new \Antares\Model\Role();
$roleModerator = $role->create([
    'parent_id'=>$role->newQuery()->where('name','administrator')->firstOrFail()->id,
    'name'        => 'moderator',
    'area'        => 'administrators',
    'full_name'   => 'Moderator',
    'description' => 'Manage moderator privileges'
]);

In order to ascribe a role to a new user:

$user = user()->newInstance([
    'email'    => '[email protected]',
    'firstname' > 'Foo',
    'lastname' => 'Bar',
    'password' => 'FooBar'
]);
$user->save();
$user->roles()->sync([
    \Antares\Model\Role::members()->lists('id')->toArray()
]);

To change a role of the existing user:

$user  = user()->newQuery()->where('email', '[email protected]')->firstOrFail();
$roles = $user->roles->lists('id')->toArray();
$admin = \Antares\Model\Role::admin()->id;
$map   = array_merge($roles, (array) $admin);

$user->roles()->sync([
    $map
]);

Each of the system’s user is ascribed to a specific role (group) which is connected with particular authorizations. To download the list of available roles ascribed to a user:

$roles = Auth::roles();

or:

$roles = auth()->roles();

In order to check whether a user is ascribed to a role (roles):

if (Auth::is(['admin', 'editor'])) {
    echo "Is an admin and editor";
}

In order to check whether a user is ascribed to any of the given roles:

if (Auth::isAny(['admin', 'editor'])) {
    echo "Is a member or admin";
}

In order to check whether a user is not ascribed to the given roles:

if (Auth::isNot(['admin', 'editor'])) {
    echo "Isn't an admin and editor";
}

In order to check whether a user is not ascribed to any of the given roles:

if (Auth::isNotAny(['admin', 'editor'])) {
    echo "Isn't a member or admin";
}

ACL And Metrics

Owing to application’s modularity each module can decide independently about which resources (within module’s space) are accessible to the logged in user. More information about building the ACL migration files can be found here. Information about controllers’ (resources) action access verification can be found here. In order to download the ACL instance ascribed to a module:

$acl = ACL::make('antares/foo');

In order to verify whether a user has access to a resource:

$acl = ACL::make('antares/foo'); 
if (!$acl->can('foo-index')) {
     return redirect()->to(handles('antares::login'));
}