sapl/sapl-php 问题修复 & 功能扩展

解决BUG、新增功能、兼容多环境部署,快速响应你的开发需求

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

sapl/sapl-php

Composer 安装命令:

composer require sapl/sapl-php

包简介

SAPL Policy Enforcement Point for PHP and Symfony. Streaming attribute-based access control against a SAPL Policy Decision Point over HTTP.

README 文档

README

Policy-based authorization for PHP and Symfony. Write access control rules as external SAPL policy files and enforce them at runtime through attributes like #[PreEnforce] and #[PostEnforce]. Policies can be updated without code changes or redeployment.

How It Works

Your application marks controller actions or service methods with enforcement attributes. SAPL intercepts the call, sends an authorization subscription to the Policy Decision Point (PDP), and enforces the decision, including any obligations or advice the policy attaches.

use Sapl\Symfony\PreEnforce;

#[PreEnforce(action: 'read', resource: 'patient')]
public function getPatient(): array
{
    return ['name' => 'Jane Doe', 'ssn' => '123-45-6789'];
}
policy "permit doctors to read patient data"
permit
  action == "read";
  "DOCTOR" in subject.roles

If the PDP permits, the method runs. If not, an AccessDeniedException is thrown. If the decision carries obligations (like access logging or field redaction), they are enforced automatically through registered constraint handlers.

The subject defaults to the authenticated user, and the action and resource to the class and method name. Any attribute field overrides the default, either as a literal or as a Symfony Expression evaluated against { subject, args, request }.

What You Get

SAPL goes beyond simple permit/deny. Decisions can carry obligations that must be fulfilled, advice that should be attempted, and resource transformations that modify return values before they reach the caller. The library handles all of this transparently.

For streaming responses, #[StreamEnforce] maintains a live connection to the PDP, so access rights update in real time as policies, attributes, or the environment change. Its signalTransitions and pauseRapDuringSuspend flags express the suspend, drop, and pause behaviours. Transaction integration rolls back a database write when an obligation fails after it (enable with transactional: true).

Data-layer query rewriting narrows results at the database rather than in memory. A policy attaches a sql:queryRewriting or mongo:queryRewriting obligation, and the matching Doctrine filter rewrites the queries an enforced method issues, fail-closed and narrowing-only. Sapl\Doctrine\Orm\SaplSqlFilter covers SQL databases through the Doctrine ORM and Sapl\Doctrine\Odm\SaplBsonFilter covers MongoDB through the Doctrine ODM. The obligation is portable: the same mongo:queryRewriting policy works unchanged across the Spring, Python, NestJS, and PHP MongoDB integrations.

Getting Started

Requires PHP 8.3+, Symfony 7.3+, and a SAPL PDP of version 4.1.0 or higher.

composer require sapl/sapl-php

Register the bundle and point it at your PDP:

# config/packages/sapl.yaml
sapl:
    pdp:
        base_url: '%env(SAPL_PDP_URL)%'
    transactional: false

The PDP connection is HTTP. An unauthenticated development PDP must stay on loopback; production deployments configure authentication (api-key via token, or basic auth via username and secret) and TLS.

Links

License

Apache-2.0

统计信息

  • 总下载量: 0
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 0
  • 点击次数: 1
  • 依赖项目数: 0
  • 推荐数: 0

GitHub 信息

  • Stars: 0
  • Watchers: 0
  • Forks: 0
  • 开发语言: PHP

其他信息

  • 授权协议: Apache-2.0
  • 更新时间: 2026-07-01

承接程序开发

PHP开发

VUE

Vue开发

前端开发

小程序开发

公众号开发

系统定制

数据库设计

云部署

网站建设

安全加固