Generates Access Control components for PHP 8.4. Creates RBAC/ABAC components with PermissionInterface, RoleInterface, VoterInterface, AccessDecisionManager. Includes unit tests.
From accnpx claudepluginhub dykyi-roman/awesome-claude-code --plugin accThis skill uses the workspace's default tool permissions.
references/examples.mdreferences/templates.mdCreates access control infrastructure for RBAC/ABAC authorization patterns.
| Scenario | Example |
|---|---|
| Role-based access | Admin, editor, viewer roles |
| Resource ownership | Users can only edit own resources |
| Attribute-based rules | Access based on resource state or user attributes |
| Complex authorization | Multiple voters with different strategies |
Path: src/Infrastructure/Security/AccessControl/
Permission.php — Permission enumRole.php — Role value object with hierarchyAccessSubject.php — Value object wrapping the authenticated user contextPath: src/Infrastructure/Security/AccessControl/
VoterInterface.php — Voter contract with GRANT/DENY/ABSTAINVote.php — Vote result enumAccessDecisionManager.php — Voter aggregation with strategiesDecisionStrategy.php — Strategy enum (affirmative, unanimous, consensus)Path: src/Infrastructure/Security/AccessControl/Voter/
RoleVoter.php — Role hierarchy voterResourceOwnerVoter.php — Resource ownership voterRoleTest.php — Role hierarchy testsAccessDecisionManagerTest.php — Strategy decision testsRoleVoterTest.php — Role voter tests| Component | Path |
|---|---|
| Core Classes | src/Infrastructure/Security/AccessControl/ |
| Voters | src/Infrastructure/Security/AccessControl/Voter/ |
| Unit Tests | tests/Unit/Infrastructure/Security/AccessControl/ |
| Component | Pattern | Example |
|---|---|---|
| Permission | Permission | Permission::Edit |
| Role | Role | Role |
| Voter Interface | VoterInterface | VoterInterface |
| Concrete Voter | {Context}Voter | RoleVoter |
| Decision Manager | AccessDecisionManager | AccessDecisionManager |
| Strategy Enum | DecisionStrategy | DecisionStrategy::Affirmative |
| Vote Enum | Vote | Vote::Grant |
| Test | {ClassName}Test | AccessDecisionManagerTest |
enum Permission: string
{
case View = 'view';
case Create = 'create';
case Edit = 'edit';
case Delete = 'delete';
case Manage = 'manage';
}
interface VoterInterface
{
public function vote(AccessSubject $subject, Permission $permission, mixed $resource = null): Vote;
}
final readonly class AccessDecisionManager
{
/** @param list<VoterInterface> $voters */
public function __construct(
private array $voters,
private DecisionStrategy $strategy = DecisionStrategy::Affirmative
) {}
public function isGranted(AccessSubject $subject, Permission $permission, mixed $resource = null): bool;
}
$manager = new AccessDecisionManager(
voters: [new RoleVoter(), new ResourceOwnerVoter()],
strategy: DecisionStrategy::Affirmative
);
$subject = new AccessSubject(userId: $user->id(), roles: $user->roles());
if ($manager->isGranted($subject, Permission::Edit, $article)) {
$article->update($data);
}
Affirmative: ANY voter grants → GRANTED (default, most permissive)
Consensus: MAJORITY grants → GRANTED (balanced)
Unanimous: ALL voters grant → GRANTED (most restrictive)
| Anti-pattern | Problem | Solution |
|---|---|---|
| String permissions | Typos, no IDE support | Use Permission enum |
| Inline auth checks | Scattered, unmaintainable | Centralize in voters |
| God voter | Single voter with all logic | One voter per concern |
| No ABSTAIN support | Voter must decide everything | ABSTAIN when not applicable |
| Flat roles | No inheritance, duplication | Role hierarchy |
| Missing resource check | Only role-based, no ownership | Add ResourceOwnerVoter |
For complete PHP templates and examples, see:
references/templates.md — Permission, Role, VoterInterface, AccessDecisionManager, Voter templatesreferences/examples.md — Authorization examples and testsProvides UI/UX resources: 50+ styles, color palettes, font pairings, guidelines, charts for web/mobile across React, Next.js, Vue, Svelte, Tailwind, React Native, Flutter. Aids planning, building, reviewing interfaces.