ACL permissions for zf-oauth2-doctrine
Clone or download
Pull request Compare This branch is 4 commits behind API-Skeletons:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

OAuth2 Doctrine Permissions ACL

Build Status Gitter Total Downloads


1.x for PHP 5.5 to 7.0. 2.x for PHP 7.1 onward.


This provides ACL for api-skeletons/zf-oauth2-doctrine. This replaces some components of zfcampus/zf-mvc-auth to enable multiple roles per user and auto injecting roles into the ACL.

This library is specifically for a many to many relationship between Role and User. If you have a one to many relationship where each user may have only one role this library is not for you.

This library depends on api-skeletons/zf-oauth2-doctrine-identity. Please see that library for implementation details.

Entity Relationship Diagram

Entity Relationship Diagram created with Skipper


Installation of this module uses composer. For composer documentation, please refer to

composer require api-skeletons/zf-oauth2-doctrine-permissions-acl

This will be added to your application's list of modules:

'modules' => array(

Role Related Interfaces

The ERD above shows the Doctrine relationship to a Role entity. To fetch Roles for a user the User enitity must implement ZF\OAuth2\Doctrine\Permissions\Acl\Role\ProviderInterface. The Role entity must implement Zend\Permissions\Acl\Role\RoleInterface.

Roles may have parents. This is optional but the parent relationship is often important in ACL. To create a role hierarchy your Role entity must implement ZF\OAuth2\Doctrine\Permissions\Acl\Role\HierarchicalInterface. This interface also implements Zend\Permissions\Acl\Role\RoleInterface.

Adding Roles to the ACL

To copy roles into the ACL from your Role entity copy config/ to your application config/autoload/

'zf-oauth2-doctrine-permissions-acl' => [
    'role' => [
        'entity' => 'Db\Entity\Role',
        'object_manager' => 'doctrine.entitymanager.orm_default',

This will run at priority 1000 in the MvcAuthEvent::EVENT_AUTHORIZATION event. If you do not want to autoload roles remove the 'role' configuration entirely.

Adding Resource Guards

With all of the above this library has set the stage to create permissions on your resources. All your roles may be loaded and you can follow the official Apigility guide: Be sure your listener(s) run at priority < 1000.

This is a short summary of the linked article.

Add this bootstrap to your Module:

namespace Application;

use Zend\Mvc\MvcEvent;
use Zend\Mvc\ModuleRouteListener;
use Application\Authorization\AuthorizationListener;
use ZF\MvcAuth\MvcAuthEvent;

class Module
    public function onBootstrap(MvcEvent $e)
        $eventManager        = $e->getApplication()->getEventManager();
        $moduleRouteListener = new ModuleRouteListener();

            new AuthorizationListener(),
            100 // Less than 1000 to allow roles to be added first && >= 100

Create your AuthorizationListener:

namespace Application\Authorization;

use ZF\MvcAuth\MvcAuthEvent;
use Db\Fixture\RoleFixture;

class AuthorizationListener
    public function __invoke(MvcAuthEvent $mvcAuthEvent)
        $authorization = $mvcAuthEvent->getAuthorizationService();

        // Deny from all

        // Allow from all for oauth authentication
        $authorization->allow(null, 'ZF\OAuth2\Controller\Auth::token');

        // Add application specific resources
        $authorization->allow(RoleFixture::USER, 'FooBar\V1\Rest\Foo\Controller::collection', 'GET');