Oihana PHP Arango

isAuthorized.php

Table of Contents

Functions

isAuthorized()  : bool
Decides whether a field projection is allowed for the current request.

Functions

isAuthorized()

Decides whether a field projection is allowed for the current request.

isAuthorized(array<string|int, mixed> $definition[, array<string|int, mixed> $init = [] ]) : bool

Reads the optional Field::REQUIRES permission subject(s) declared on the field definition, then defers the actual decision to a backend-agnostic Closure(string $subject): bool injected through $init[Arango::AUTHORIZER].

The framework remains agnostic of the underlying authorization layer (Casbin, OPA, custom, ...) — the consumer is responsible for binding the callable to a real enforcer and a request-scoped user identifier.

Resolution rules:

  • No Field::REQUIRES declared on the definition → true (no gating).
  • Field::REQUIRES resolves to an empty list → true (no gating).
  • No Arango::AUTHORIZER injected, or value is not callable → true (authorization layer disabled, fail open).
  • One or more subjects declared → true if at least one subject is granted by the callable (logical OR).
Parameters
$definition : array<string|int, mixed>

Field definition. Reads Field::REQUIRES.

$init : array<string|int, mixed> = []

The request-level init array. Reads Arango::AUTHORIZER.

Tags
example

Single subject

$definition[ Field::REQUIRES ] = 'users.roles:list' ;
isAuthorized( $definition , [ Arango::AUTHORIZER => fn() => true ] ) ; // true
isAuthorized( $definition , [ Arango::AUTHORIZER => fn() => false ] ) ; // false

OR over a list

$definition[ Field::REQUIRES ] = [ 'users.roles:list' , 'users.roles:admin' ] ;
$init[ Arango::AUTHORIZER ]    = fn( string $s ) : bool => $s === 'users.roles:admin' ;
isAuthorized( $definition , $init ) ; // true (admin matched)
author

Marc Alcaraz (eKameleon)

version
1.0.0
Return values
bool

true when the projection is allowed, false when every declared subject was refused.

On this page

Search results