create-access-control
Access Control Generator
Creates access control infrastructure for RBAC/ABAC authorization patterns.
When to Use
| Scenario | Example |
|---|---|
| Role-based access | Admin, editor, viewer roles |
| Resource ownership | Users can only edit own resources |
| Attribute-based rules | Access based on resource state or user attributes |
| Complex authorization | Multiple voters with different strategies |
Component Characteristics
Permission
- Enum defining available permissions
- Hierarchical: parent permissions include children
- Type-safe, no magic strings
Role
- Value Object encapsulating role with permissions
- Supports role hierarchy (admin inherits editor permissions)
- Immutable, self-validating
VoterInterface
- Symfony-style voter contract
- Returns GRANT, DENY, or ABSTAIN
- Single responsibility: one voter per concern
AccessDecisionManager
- Aggregates multiple voters
- Strategies: affirmative (one grant), unanimous (all grant), consensus (majority grants)
- Configurable per security context
ResourceOwnerVoter
- Checks if authenticated user owns the resource
- Works with any entity implementing OwnableInterface
- Returns ABSTAIN for non-ownable resources
RoleVoter
- Checks if user has required role for the permission
- Supports role hierarchy traversal
- Returns ABSTAIN when permission not role-based
Generation Process
Step 1: Generate Core Components
Path: src/Infrastructure/Security/AccessControl/
Permission.php— Permission enumRole.php— Role value object with hierarchyAccessSubject.php— Value object wrapping the authenticated user context
Step 2: Generate Voter System
Path: src/Infrastructure/Security/AccessControl/
VoterInterface.php— Voter contract with GRANT/DENY/ABSTAINVote.php— Vote result enumAccessDecisionManager.php— Voter aggregation with strategiesDecisionStrategy.php— Strategy enum (affirmative, unanimous, consensus)
Step 3: Generate Concrete Voters
Path: src/Infrastructure/Security/AccessControl/Voter/
RoleVoter.php— Role hierarchy voterResourceOwnerVoter.php— Resource ownership voter
Step 4: Generate Tests
RoleTest.php— Role hierarchy testsAccessDecisionManagerTest.php— Strategy decision testsRoleVoterTest.php— Role voter tests
File Placement
| Component | Path |
|---|---|
| Core Classes | src/Infrastructure/Security/AccessControl/ |
| Voters | src/Infrastructure/Security/AccessControl/Voter/ |
| Unit Tests | tests/Unit/Infrastructure/Security/AccessControl/ |
Naming Conventions
| Component | Pattern | Example |
|---|---|---|
| Permission | Permission |
Permission::Edit |
| Role | Role |
Role |
| Voter Interface | VoterInterface |
VoterInterface |
| Concrete Voter | {Context}Voter |
RoleVoter |
| Decision Manager | AccessDecisionManager |
AccessDecisionManager |
| Strategy Enum | DecisionStrategy |
DecisionStrategy::Affirmative |
| Vote Enum | Vote |
Vote::Grant |
| Test | {ClassName}Test |
AccessDecisionManagerTest |
Quick Template Reference
Permission
enum Permission: string
{
case View = 'view';
case Create = 'create';
case Edit = 'edit';
case Delete = 'delete';
case Manage = 'manage';
}
VoterInterface
interface VoterInterface
{
public function vote(AccessSubject $subject, Permission $permission, mixed $resource = null): Vote;
}
AccessDecisionManager
final readonly class AccessDecisionManager
{
/** @param list<VoterInterface> $voters */
public function __construct(
private array $voters,
private DecisionStrategy $strategy = DecisionStrategy::Affirmative
) {}
public function isGranted(AccessSubject $subject, Permission $permission, mixed $resource = null): bool;
}
Usage Example
$manager = new AccessDecisionManager(
voters: [new RoleVoter(), new ResourceOwnerVoter()],
strategy: DecisionStrategy::Affirmative
);
$subject = new AccessSubject(userId: $user->id(), roles: $user->roles());
if ($manager->isGranted($subject, Permission::Edit, $article)) {
$article->update($data);
}
Decision Strategies
Affirmative: ANY voter grants → GRANTED (default, most permissive)
Consensus: MAJORITY grants → GRANTED (balanced)
Unanimous: ALL voters grant → GRANTED (most restrictive)
Anti-patterns to Avoid
| Anti-pattern | Problem | Solution |
|---|---|---|
| String permissions | Typos, no IDE support | Use Permission enum |
| Inline auth checks | Scattered, unmaintainable | Centralize in voters |
| God voter | Single voter with all logic | One voter per concern |
| No ABSTAIN support | Voter must decide everything | ABSTAIN when not applicable |
| Flat roles | No inheritance, duplication | Role hierarchy |
| Missing resource check | Only role-based, no ownership | Add ResourceOwnerVoter |
References
For complete PHP templates and examples, see:
references/templates.md— Permission, Role, VoterInterface, AccessDecisionManager, Voter templatesreferences/examples.md— Authorization examples and tests
More from dykyi-roman/awesome-claude-code
psr-overview-knowledge
PHP Standards Recommendations (PSR) overview knowledge base. Provides comprehensive reference for all accepted PSRs including PSR-1,3,4,6,7,11,12,13,14,15,16,17,18,20. Use for PSR selection decisions and compliance audits.
22detect-code-smells
Detects code smells in PHP codebases. Identifies God Class, Feature Envy, Data Clumps, Long Parameter List, Long Method, Primitive Obsession, Message Chains, Inappropriate Intimacy. Generates actionable reports with refactoring recommendations.
15clean-arch-knowledge
Clean Architecture knowledge base. Provides patterns, antipatterns, and PHP-specific guidelines for Clean Architecture and Hexagonal Architecture audits.
15ddd-knowledge
DDD architecture knowledge base. Provides patterns, antipatterns, and PHP-specific guidelines for Domain-Driven Design audits.
14testing-knowledge
Testing knowledge base for PHP 8.4 projects. Provides testing pyramid, AAA pattern, naming conventions, isolation principles, DDD testing guidelines, and PHPUnit patterns.
12bug-root-cause-finder
Root cause analysis methods for PHP bugs. Provides 5 Whys technique, fault tree analysis, git bisect guidance, and stack trace parsing.
12