Authorization

The Authorization plugin provides Role-Based Access Control (RBAC) for permission checking, determining whether a subject (user/role) can perform an action.

One adapter is available:

• RbacAuthorizationService checks permissions against a configuration-based role-permission mapping.

Why Use It

Access control is essential for protecting resources. The Authorization plugin provides a declarative approach where permissions are defined per role in configuration, then checked via middleware or in code.

Usage

Permissions are defined in config/permissions.php:

return [
    'admin' => ['book.create', 'book.update', 'book.delete', 'loan.view_all'],
    'user' => ['loan.view_own', 'loan.borrow'],
];

Permission format: resource.action (e.g., book.create).

Check permissions in code:

if ($this->authorizationService->can($subject, 'book.create')) {
    // Allowed
}

// Check multiple permissions
$this->authorizationService->canAny($subject, ['loan.view_all', 'loan.view_own']);
$this->authorizationService->canAll($subject, ['book.create', 'book.update']);

Protect routes with middleware:

$app->post('/books', [CreateBookController::class, 'create'])
    ->add(new RbacPermissionMiddleware($rbacService, $responseFactory, 'book.create'));

Testing

Authorization can be tested by constructing the service with test permission configurations or by mocking the interface.

See Also

• RBAC Permissions - Permission configuration and route protection
• Presenters - Permission-aware ViewModels