Advertisement
Google Ad Slot: content-top
Zend Role-Based Access Control
What is RBAC?
RBAC (Role-Based Access Control) is a system that restricts access based on a user's assigned role.
In RBAC, permissions are assigned to roles, and users are assigned to roles.
Key Concepts:
Term |
Description |
|---|---|
User |
A logged-in entity (e.g., admin, customer) |
Role |
A set of permissions (e.g., guest, user, admin) |
Permission |
A specific action or access (e.g., |
1. Installation laminas-authentication
Install Laminas Authentication and DB adapter, and understand the authentication flow first — only then you'll be able to understand the permission (RBAC) link.
2. Installation laminas-permissions-rbac
Zend provides an official component:
composer require laminas/laminas-permissions-rbac
3. User Table Example
Your users table should have a role column like:
id |
username |
password |
role |
|---|---|---|---|
1 |
john |
****** |
admin |
2 |
joe |
****** |
user |
3 |
guest1 |
****** |
guest |
4. Create RBAC Service Class (module/Application/src/Service/RbacService.php)
namespace Application\Service;
use Laminas\Permissions\Rbac\Rbac;
use Laminas\Permissions\Rbac\Role;
class RbacService
{
protected $rbac;
public function __construct()
{
$this->rbac = new Rbac();
// Define roles
$this->rbac->addRole('guest');
$this->rbac->addRole('user', 'guest'); // inherits guest
$this->rbac->addRole('admin', 'user'); // inherits user
// Define permissions
$this->rbac->getRole('guest')->addPermission('view_home');
$this->rbac->getRole('user')->addPermission('view_dashboard');
$this->rbac->getRole('admin')->addPermission('edit_user');
$this->rbac->getRole('admin')->addPermission('delete_user');
}
public function isGranted(string $role, string $permission): bool
{
return $this->rbac->isGranted($role, $permission);
}
}
5. Register Service in (module\Application\config\module.config.php)
'service_manager' => [ 'factories' => [ Application\Service\RbacService::class => Laminas\ServiceManager\Factory\InvokableFactory::class, ], ],
6. Using RBAC in Controller (module\Application\src\Controller\DashboardController.php)
namespace Application\Controller;
use Laminas\Mvc\Controller\AbstractActionController;
use Laminas\View\Model\ViewModel;
use Application\Service\RbacService;
use Laminas\Authentication\AuthenticationService;
class DashboardController extends AbstractActionController
{
protected $rbacService;
protected $auth;
public function __construct(RbacService $rbacService, AuthenticationService $auth)
{
$this->rbacService = $rbacService;
$this->auth = $auth;
}
public function indexAction()
{
$role = $this->getUserRole();
if (!$this->rbacService->isGranted($role, 'view_dashboard')) {
return $this->redirect()->toRoute('login');
}
return new ViewModel(['role' => $role]);
}
protected function getUserRole()
{
if (!$this->auth->hasIdentity()) {
return 'guest';
}
$user = $this->auth->getIdentity();
return $user->role ?? 'user';
}
}
7. Register Controller Factory (module\Application\config\module.config.php)
use Application\Controller\DashboardController;
use Application\Service\RbacService;
use Laminas\Authentication\AuthenticationService;
'controllers' => [
'factories' => [
DashboardController::class => function($container) {
return new DashboardController(
$container->get(RbacService::class),
$container->get(AuthenticationService::class)
);
},
],
],
8. Define Routes
use Application\Controller\DashboardController; 'router' => [ 'routes' => [ 'dashboard' => [ 'type' => 'Literal', 'options' => [ 'route' => '/dashboard', 'defaults' => [ 'controller' => DashboardController::class, 'action' => 'index', ], ], ], ], ],
9. View (dashboard.phtml)
<h2>Dashboard</h2> <p>Welcome! You are logged in as <?= $this->role ?></p>
Users, Roles, and Permissions
User |
Role |
Permissions |
|---|---|---|
guest1 |
Guest |
view_home |
joe |
User |
view_home,view_dashboard |
john |
Admin |
view_home,view_dashboard,edit_user,delete_user |