Skip to content

RBAC Permissions

Phexium implements Role-Based Access Control (RBAC) through the Authorization plugin, allowing fine-grained permission control.

Permission Configuration

Define permissions in config/permissions.php:

return [
    'admin' => ['book.create', 'book.update', 'book.delete', 'loan.view_all'],
    'user' => ['loan.view_own', 'loan.borrow'],
];

Naming Convention

Permission format: resource.action

book.create - Create books
loan.view_all - View all loans (admin)
loan.view_own - View own loans (user)

Route Protection

Apply middleware to routes in the demo application (config/demo/routes.php):

$rbac = $app->getContainer()->get(RbacMiddlewareFactory::class);

// Single route
$app->post('/books/{id}/delete', [DeleteBookController::class, 'deleteBook'])
    ->add($rbac->forPermission('book.delete'));

// Route group
$app->group('/books', function (RouteCollectorProxy $group): void {
    $group->get('/create', [CreateBookController::class, 'showCreateForm']);
    $group->post('/create', [CreateBookController::class, 'createBook']);
})->add($rbac->forPermission('book.create'));

Checking Permissions in Code

if (!$this->authorization->can($userSubject, 'book.delete')) {
    throw UnauthorizedAccessException::forPermission('book.delete');
}

Checking Permissions in Templates

{% if can('book.delete') %}
    <button type="submit">Delete Book</button>
{% endif %}

Best Practices

Define permissions at the most specific level needed
Check permissions at both route and handler level
Log authorization failures for security auditing

See Also

Authorization - Plugin providing RBAC
Twig Integration - Permission checking in templates
Presenters - Permission-aware ViewModels