This website requires JavaScript.

    ACL extended implementation

    ORM Backend ACL implementation is based on user group permissions and uses Laravel gates and policies. User's belonging to groups and group permissions are stored in the database. User permissions to a given entity or record are calculated as the sum of the permissions of the groups to which this user belongs.

    Permission bitmask

    The following permissions are supported:

    // ormbackend.php
    'perms' => [
        'forbidden' => 1,
        'guest' => [
            'create' => 2,
            'read' => 4,
            'update' => 8,
            'delete' => 16,
        ],
        'entity' => [
            'create' => 32,
            'read' => 64,
            'update' => 128,
            'delete' => 256,
            'restore' => 512
        ],
        'record' => [
            'read' => 1024,
            'update' => 2048,
            'delete' => 4096,
            'restore' => 8192
        ]
    ]
    
    • forbidden The first bit of the permission mask allows you to deny access regardless of other permissions. This is an easy way to ban a user. Let's say there is a Blocked Users group and you have set this permission for it. Adding a user to this group will deny him access to all data.
    • guest This set of permissions is specifically designed for unauthorized visitors.
    • entity These permissions determine whether the user can edit the entity's data, regardless of whether they own it. Typically, these rights are given to administrators.
    • record These permissions determine the user's rights to the records for which he is the owner.

    Groups

    If you have ORM Backend installed and did the seeding, then the following groups are set:

    • visitor Unauthorized Visitors. They only have guest.read permission.
    • registered Registered Users. Their permission bitmask is record.read | record.update | record.delete | record.restore
    • admin Administrators. Their permission bitmask is entity.create | entity.read | entity.update | entity.delete | entity.restore
    • dashboard Laravel Admin Users. Membership in this group allows access to the control panel.

    Of course, the default permissions may not suit your needs. But you can use the Laravel Admin panel as a GUI to manage permissions.

    Group permissions

    These permissions are used by default and stored in the database directly in the Group entity. If no entity's permissions are found for given entity and given group, then the group's permissions are used.

    Entity permissions

    These permissions are stored in a separate table in the database. They define the group's rights to a given entity. If the entity's permissions are found for given entity and given group, then the group's permissions are ignored.

    Your own implementation

    ORM Backend provides OrmBackend\ACL\AccessControl interface. And in those exceptional cases where you are missing out-of-the-box implementation capabilities, you can define your own implementation.

    interface AccessControl
    {
        /**
         * Is the current user a super administrator or not?
         *
         * @param mixed $userId
         * @return bool
         */
        public function isSuperAdmin($userId = null) : bool;
        
        /**
         * If a guest or current user is allowed to create a record for given entity,
         * this method should return true, false otherwise.
         * 
         * @param Entity $user
         * @param string $classUrlName
         * @return bool
         */
        public function isAnyCreatingAllowed(?Entity $user, string $classUrlName) : bool;
        
        /**
         * If a guest or current user is allowed to read any record of given entity,
         * this method should return true, false otherwise.
         * 
         * @param Entity $user
         * @param string $classUrlName
         * @return bool
         */
        public function isAnyReadingAllowed(?Entity $user, string $classUrlName) : bool;
        
        /**
         * If a guest or current user is allowed to update any record of given entity,
         * this method should return true, false otherwise.
         * 
         * @param Entity $user
         * @param string $classUrlName
         * @return bool
         */
        public function isAnyUpdatingAllowed(?Entity $user, string $classUrlName) : bool;
        
        /**
         * If a guest or current user is allowed to delete any record of given entity,
         * this method should return true, false otherwise.
         * 
         * @param Entity $user
         * @param string $classUrlName
         * @return bool
         */
        public function isAnyDeletingAllowed(?Entity $user, string $classUrlName) : bool;
        
        /**
         * If a guest or current user is allowed to restore any record of given entity,
         * this method should return true, false otherwise.
         * 
         * @param Entity $user
         * @param string $classUrlName
         * @return bool
         */
        public function isAnyRestoringAllowed(?Entity $user, string $classUrlName) : bool;
        
        /**
         * Can the current user or guest read the given object or not?
         * 
         * @param Entity $user
         * @param Entity $entity
         * @return bool
         */
        public function isReadingAllowed(?Entity $user, Entity $entity) : bool;
        
        /**
         * Can the current user or guest update the given object or not?
         * 
         * @param Entity $user
         * @param Entity $entity
         * @return bool
         */
        public function isUpdatingAllowed(?Entity $user, Entity $entity) : bool;
        
        /**
         * Can the current user or guest delete the given object or not?
         * 
         * @param Entity $user
         * @param Entity $entity
         * @return bool
         */
        public function isDeletingAllowed(?Entity $user, Entity $entity) : bool;
        
        /**
         * Can the current user or guest restore the given object or not?
         * 
         * @param Entity $user
         * @param Entity $entity
         * @return bool
         */
        public function isRestoringAllowed(?Entity $user, Entity $entity) : bool;
        
        /**
         * If not all objects of the given entity are readable by the current user or guest,
         * the method should add a filter to the parameters variable and then return it.
         * 
         * @param string $class
         * @param array $parameters
         * @param string $alias
         * @return array
         */
        public function addRecordsFilter(string $class, array $parameters = [], string $alias = null) : array;
    }